<!DOCTYPE html
  PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
  "DTD/xhtml1-strict.dtd">
<html>
  <head>
    <title>Class Hierarchy</title>
    <link href="apidocs.css" type="text/css" rel="stylesheet" />
  </head>
  <body>
    <h1>Class Hierarchy</h1>
    <ul>
    <li>AssertionError<ul><li><a name="volatility.addrspace.ASAssertionError"></a><a href="volatility.addrspace.ASAssertionError.html">volatility.addrspace.ASAssertionError</a> - <span class="undocumented">Undocumented</span></li></ul></li><li>datetime.tzinfo<ul><li><a name="volatility.timefmt.OffsetTzInfo"></a><a href="volatility.timefmt.OffsetTzInfo.html">volatility.timefmt.OffsetTzInfo</a> - <span>Timezone implementation that allows offsets specified in seconds</span></li><li><a name="volatility.timefmt.UTC"></a><a href="volatility.timefmt.UTC.html">volatility.timefmt.UTC</a> - <span>Concrete instance of the UTC timezone</span></li></ul></li><li>Exception<ul><li><a name="volatility.cache.InvalidCache"></a><a href="volatility.cache.InvalidCache.html">volatility.cache.InvalidCache</a> - <span>Exception raised when the cache item is determined to be invalid.</span></li><li><a name="volatility.exceptions.VolatilityException"></a><a href="volatility.exceptions.VolatilityException.html">volatility.exceptions.VolatilityException</a> - <span>Generic Volatility Specific exception, to help differentiate from other exceptions</span><ul><li><a name="volatility.cache.CacheContainsGenerator"></a><a href="volatility.cache.CacheContainsGenerator.html">volatility.cache.CacheContainsGenerator</a> - <span>Exception raised when the cache contains a generator</span></li><li><a name="volatility.exceptions.AddrSpaceError"></a><a href="volatility.exceptions.AddrSpaceError.html">volatility.exceptions.AddrSpaceError</a> - <span>Address Space Exception, so we can catch and deal with it in the main program</span></li><li><a name="volatility.exceptions.CacheRelativeURLException"></a><a href="volatility.exceptions.CacheRelativeURLException.html">volatility.exceptions.CacheRelativeURLException</a> - <span>Exception for gracefully not saving Relative URLs in the cache</span></li><li><a name="volatility.exceptions.SanityCheckException"></a><a href="volatility.exceptions.SanityCheckException.html">volatility.exceptions.SanityCheckException</a> - <span>Exception for failed sanity checks (which can potentially be disabled)</span></li><li><a name="volatility.obj.InvalidOffsetError"></a><a href="volatility.obj.InvalidOffsetError.html">volatility.obj.InvalidOffsetError</a> - <span>Simple placeholder to identify invalid offsets</span></li></ul></li></ul></li><li>object<ul><li><a name="volatility.addrspace.BaseAddressSpace"></a><a href="volatility.addrspace.BaseAddressSpace.html">volatility.addrspace.BaseAddressSpace</a> - <span>This is the base class of all Address Spaces.</span><ul><li><a name="volatility.addrspace.AbstractVirtualAddressSpace"></a><a href="volatility.addrspace.AbstractVirtualAddressSpace.html">volatility.addrspace.AbstractVirtualAddressSpace</a> - <span>Base Ancestor for all Virtual address spaces, as determined by astype</span><ul><li><a name="volatility.plugins.addrspaces.standard.AbstractPagedMemory"></a><a href="volatility.plugins.addrspaces.standard.AbstractPagedMemory.html">volatility.plugins.addrspaces.standard.AbstractPagedMemory</a> - <span>Class to handle all the associated details of a paged address space</span><ul><li><a name="volatility.plugins.addrspaces.standard.AbstractWritablePagedMemory"></a><a href="volatility.plugins.addrspaces.standard.AbstractWritablePagedMemory.html">volatility.plugins.addrspaces.standard.AbstractWritablePagedMemory</a> - <span>Mixin class that can be used to add write functionality to any standard address space that supports write() and vtop().</span><ul><li><a name="volatility.plugins.addrspaces.intel.JKIA32PagedMemory"></a><a href="volatility.plugins.addrspaces.intel.JKIA32PagedMemory.html">volatility.plugins.addrspaces.intel.JKIA32PagedMemory</a> - <span>Standard x86 32 bit non PAE address space.</span><ul><li><a name="volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae"></a><a href="volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae.html">volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae</a> - <span>Standard x86 32 bit PAE address space.</span><ul><li><a name="volatility.plugins.addrspaces.amd64.AMD64PagedMemory"></a><a href="volatility.plugins.addrspaces.amd64.AMD64PagedMemory.html">volatility.plugins.addrspaces.amd64.AMD64PagedMemory</a> - <span>Standard AMD 64-bit address space.</span></li></ul></li></ul></li><li><a name="volatility.plugins.addrspaces.legacyintel.IA32PagedMemory"></a><a href="volatility.plugins.addrspaces.legacyintel.IA32PagedMemory.html">volatility.plugins.addrspaces.legacyintel.IA32PagedMemory</a> - <span>Legacy x86 non PAE address space (to use specify --use_old_as)</span><ul><li><a name="volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae"></a><a href="volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae.html">volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae</a> - <span>Legacy x86 PAE address space (to use specify --use_old_as)</span></li></ul></li></ul></li></ul></li></ul></li><li><a name="volatility.addrspace.BufferAddressSpace"></a><a href="volatility.addrspace.BufferAddressSpace.html">volatility.addrspace.BufferAddressSpace</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.addrspaces.ieee1394.FirewireAddressSpace"></a><a href="volatility.plugins.addrspaces.ieee1394.FirewireAddressSpace.html">volatility.plugins.addrspaces.ieee1394.FirewireAddressSpace</a> - <span>A physical layer address space that provides access via firewire</span></li><li><a href="volatility.plugins.addrspaces.intel.JKIA32PagedMemory.html">volatility.plugins.addrspaces.intel.JKIA32PagedMemory</a> - <span>Standard x86 32 bit non PAE address space.</span><ul><li><a href="volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae.html">volatility.plugins.addrspaces.intel.JKIA32PagedMemoryPae</a> - <span>Standard x86 32 bit PAE address space.</span><ul><li><a href="volatility.plugins.addrspaces.amd64.AMD64PagedMemory.html">volatility.plugins.addrspaces.amd64.AMD64PagedMemory</a> - <span>Standard AMD 64-bit address space.</span></li></ul></li></ul></li><li><a href="volatility.plugins.addrspaces.legacyintel.IA32PagedMemory.html">volatility.plugins.addrspaces.legacyintel.IA32PagedMemory</a> - <span>Legacy x86 non PAE address space (to use specify --use_old_as)</span><ul><li><a href="volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae.html">volatility.plugins.addrspaces.legacyintel.IA32PagedMemoryPae</a> - <span>Legacy x86 PAE address space (to use specify --use_old_as)</span></li></ul></li><li><a name="volatility.plugins.addrspaces.lime.LimeAddressSpace"></a><a href="volatility.plugins.addrspaces.lime.LimeAddressSpace.html">volatility.plugins.addrspaces.lime.LimeAddressSpace</a> - <span>Address space for Lime</span></li><li><a name="volatility.plugins.addrspaces.standard.FileAddressSpace"></a><a href="volatility.plugins.addrspaces.standard.FileAddressSpace.html">volatility.plugins.addrspaces.standard.FileAddressSpace</a> - <span>This is a direct file AS.</span><ul><li><a name="volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32"></a><a href="volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32.html">volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace32</a> - <span>This AS supports windows Crash Dump format</span><ul><li><a name="volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64"></a><a href="volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64.html">volatility.plugins.addrspaces.crash.WindowsCrashDumpSpace64</a> - <span>This AS supports windows Crash Dump format</span></li></ul></li><li><a name="volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32"></a><a href="volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32.html">volatility.plugins.addrspaces.hibernate.WindowsHiberFileSpace32</a> - <span>This is a hibernate address space for windows hibernation files.</span></li></ul></li><li><a name="volatility.win32.hive.HiveAddressSpace"></a><a href="volatility.win32.hive.HiveAddressSpace.html">volatility.win32.hive.HiveAddressSpace</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.win32.hive.HiveFileAddressSpace"></a><a href="volatility.win32.hive.HiveFileAddressSpace.html">volatility.win32.hive.HiveFileAddressSpace</a> - <span class="undocumented">Undocumented</span></li></ul></li><li><a name="volatility.cache.CacheDecorator"></a><a href="volatility.cache.CacheDecorator.html">volatility.cache.CacheDecorator</a> - <span>This decorator will memoise a function in the cache</span><ul><li><a name="volatility.cache.TestDecorator"></a><a href="volatility.cache.TestDecorator.html">volatility.cache.TestDecorator</a> - <span>This decorator is just like a CacheDecorator, but will <em>always</em> cache fully</span></li></ul></li><li><a name="volatility.cache.CacheNode"></a><a href="volatility.cache.CacheNode.html">volatility.cache.CacheNode</a> - <span>Base class for Cache nodes</span><ul><li><a name="volatility.cache.BlockingNode"></a><a href="volatility.cache.BlockingNode.html">volatility.cache.BlockingNode</a> - <span>Node that fails on all cache attempts and no-ops on cache storage attempts</span></li></ul></li><li><a name="volatility.cache.CacheStorage"></a><a href="volatility.cache.CacheStorage.html">volatility.cache.CacheStorage</a> - <span>The base class for implementation storing the cache.</span></li><li><a name="volatility.cache.CacheTree"></a><a href="volatility.cache.CacheTree.html">volatility.cache.CacheTree</a> - <span>An abstract structure which represents the cache tree</span></li><li><a name="volatility.cache.Invalidator"></a><a href="volatility.cache.Invalidator.html">volatility.cache.Invalidator</a> - <span>The Invalidator encapsulates program state to control invalidation of the cache.</span></li><li><a name="volatility.cache.Testable"></a><a href="volatility.cache.Testable.html">volatility.cache.Testable</a> - <span>This is a mixin that makes a class response to the unit tests</span><ul><li><a name="volatility.plugins.taskmods.DllList"></a><a href="volatility.plugins.taskmods.DllList.html">volatility.plugins.taskmods.DllList</a> - <span>Print list of loaded dlls for each process</span><ul><li><a name="volatility.plugins.envars.Envars"></a><a href="volatility.plugins.envars.Envars.html">volatility.plugins.envars.Envars</a> - <span>Display process environment variables</span></li><li><a name="volatility.plugins.getsids.GetSIDs"></a><a href="volatility.plugins.getsids.GetSIDs.html">volatility.plugins.getsids.GetSIDs</a> - <span>Print the SIDs owning each process</span></li><li><a name="volatility.plugins.handles.Handles"></a><a href="volatility.plugins.handles.Handles.html">volatility.plugins.handles.Handles</a> - <span>Print list of open handles for each process</span></li><li><a name="volatility.plugins.malware.malfind.LdrModules"></a><a href="volatility.plugins.malware.malfind.LdrModules.html">volatility.plugins.malware.malfind.LdrModules</a> - <span>Detect unlinked DLLs</span></li><li><a name="volatility.plugins.malware.malfind.YaraScan"></a><a href="volatility.plugins.malware.malfind.YaraScan.html">volatility.plugins.malware.malfind.YaraScan</a> - <span>Scan process or kernel memory with Yara signatures</span></li><li><a name="volatility.plugins.malware.threads.Threads"></a><a href="volatility.plugins.malware.threads.Threads.html">volatility.plugins.malware.threads.Threads</a> - <span>Investigate _ETHREAD and _KTHREADs</span></li><li><a name="volatility.plugins.procdump.ProcExeDump"></a><a href="volatility.plugins.procdump.ProcExeDump.html">volatility.plugins.procdump.ProcExeDump</a> - <span>Dump a process to an executable file sample</span><ul><li><a name="volatility.plugins.dlldump.DLLDump"></a><a href="volatility.plugins.dlldump.DLLDump.html">volatility.plugins.dlldump.DLLDump</a> - <span>Dump DLLs from a process address space</span></li><li><a name="volatility.plugins.malware.apihooks.ApiHooks"></a><a href="volatility.plugins.malware.apihooks.ApiHooks.html">volatility.plugins.malware.apihooks.ApiHooks</a> - <span>Detect API hooks in process and kernel memory</span></li><li><a name="volatility.plugins.moddump.ModDump"></a><a href="volatility.plugins.moddump.ModDump.html">volatility.plugins.moddump.ModDump</a> - <span>Dump a kernel driver to an executable file sample</span></li><li><a name="volatility.plugins.procdump.ProcMemDump"></a><a href="volatility.plugins.procdump.ProcMemDump.html">volatility.plugins.procdump.ProcMemDump</a> - <span>Dump a process to an executable memory sample</span></li></ul></li><li><a name="volatility.plugins.strings.Strings"></a><a href="volatility.plugins.strings.Strings.html">volatility.plugins.strings.Strings</a> - <span>Match physical offsets to virtual addresses (may take a while, VERY verbose)</span></li><li><a name="volatility.plugins.taskmods.MemMap"></a><a href="volatility.plugins.taskmods.MemMap.html">volatility.plugins.taskmods.MemMap</a> - <span>Print the memory map</span><ul><li><a name="volatility.plugins.taskmods.MemDump"></a><a href="volatility.plugins.taskmods.MemDump.html">volatility.plugins.taskmods.MemDump</a> - <span>Dump the addressable memory for a process</span></li></ul></li><li><a name="volatility.plugins.taskmods.PSList"></a><a href="volatility.plugins.taskmods.PSList.html">volatility.plugins.taskmods.PSList</a> - <span>Print all running processes by following the EPROCESS lists</span></li><li><a name="volatility.plugins.vadinfo.VADInfo"></a><a href="volatility.plugins.vadinfo.VADInfo.html">volatility.plugins.vadinfo.VADInfo</a> - <span>Dump the VAD info</span><ul><li><a name="volatility.plugins.vadinfo.VADDump"></a><a href="volatility.plugins.vadinfo.VADDump.html">volatility.plugins.vadinfo.VADDump</a> - <span>Dumps out the vad sections to a file</span><ul><li><a name="volatility.plugins.malware.malfind.Malfind"></a><a href="volatility.plugins.malware.malfind.Malfind.html">volatility.plugins.malware.malfind.Malfind</a> - <span>Find hidden and injected code</span></li></ul></li><li><a name="volatility.plugins.vadinfo.VADTree"></a><a href="volatility.plugins.vadinfo.VADTree.html">volatility.plugins.vadinfo.VADTree</a> - <span>Walk the VAD tree and display in tree format</span></li><li><a name="volatility.plugins.vadinfo.VADWalk"></a><a href="volatility.plugins.vadinfo.VADWalk.html">volatility.plugins.vadinfo.VADWalk</a> - <span>Walk the VAD tree</span></li></ul></li></ul></li></ul></li><li><a name="volatility.commands.Command"></a><a href="volatility.commands.Command.html">volatility.commands.Command</a> - <span>Base class for each plugin command</span><ul><li><a name="volatility.plugins.common.AbstractWindowsCommand"></a><a href="volatility.plugins.common.AbstractWindowsCommand.html">volatility.plugins.common.AbstractWindowsCommand</a> - <span class="undocumented">Undocumented</span><ul><li><a name="volatility.plugins.bioskbd.BiosKbd"></a><a href="volatility.plugins.bioskbd.BiosKbd.html">volatility.plugins.bioskbd.BiosKbd</a> - <span>Reads the keyboard buffer from Real Mode memory</span></li><li><a name="volatility.plugins.connections.Connections"></a><a href="volatility.plugins.connections.Connections.html">volatility.plugins.connections.Connections</a> - <span>Print list of open connections [Windows XP and 2003 Only] ---------------------------------------------</span></li><li><a name="volatility.plugins.connscan.ConnScan"></a><a href="volatility.plugins.connscan.ConnScan.html">volatility.plugins.connscan.ConnScan</a> - <span>Scan Physical memory for _TCPT_OBJECT objects (tcp connections)</span></li><li><a name="volatility.plugins.crashinfo.CrashInfo"></a><a href="volatility.plugins.crashinfo.CrashInfo.html">volatility.plugins.crashinfo.CrashInfo</a> - <span>Dump crash-dump information</span></li><li><a name="volatility.plugins.evtlogs.EvtLogs"></a><a href="volatility.plugins.evtlogs.EvtLogs.html">volatility.plugins.evtlogs.EvtLogs</a> - <span>Extract Windows Event Logs (XP/2003 only)</span></li><li><a name="volatility.plugins.filescan.FileScan"></a><a href="volatility.plugins.filescan.FileScan.html">volatility.plugins.filescan.FileScan</a> - <span>Scan Physical memory for _FILE_OBJECT pool allocations</span><ul><li><a name="volatility.plugins.filescan.DriverScan"></a><a href="volatility.plugins.filescan.DriverScan.html">volatility.plugins.filescan.DriverScan</a> - <span>Scan for driver objects _DRIVER_OBJECT</span><ul><li><a name="volatility.plugins.malware.devicetree.DeviceTree"></a><a href="volatility.plugins.malware.devicetree.DeviceTree.html">volatility.plugins.malware.devicetree.DeviceTree</a> - <span>Show device tree</span></li><li><a name="volatility.plugins.malware.devicetree.DriverIrp"></a><a href="volatility.plugins.malware.devicetree.DriverIrp.html">volatility.plugins.malware.devicetree.DriverIrp</a> - <span>Driver IRP hook detection</span></li></ul></li><li><a name="volatility.plugins.filescan.MutantScan"></a><a href="volatility.plugins.filescan.MutantScan.html">volatility.plugins.filescan.MutantScan</a> - <span>Scan for mutant objects _KMUTANT</span></li><li><a name="volatility.plugins.filescan.SymLinkScan"></a><a href="volatility.plugins.filescan.SymLinkScan.html">volatility.plugins.filescan.SymLinkScan</a> - <span>Scan for symbolic link objects</span></li><li><a name="volatility.plugins.gui.windowstations.WndScan"></a><a href="volatility.plugins.gui.windowstations.WndScan.html">volatility.plugins.gui.windowstations.WndScan</a> - <span>Pool scanner for tagWINDOWSTATION (window stations)</span><ul><li><a name="volatility.plugins.gui.desktops.DeskScan"></a><a href="volatility.plugins.gui.desktops.DeskScan.html">volatility.plugins.gui.desktops.DeskScan</a> - <span>Poolscaner for tagDESKTOP (desktops)</span></li><li><a name="volatility.plugins.gui.screenshot.Screenshot"></a><a href="volatility.plugins.gui.screenshot.Screenshot.html">volatility.plugins.gui.screenshot.Screenshot</a> - <span>Save a pseudo-screenshot based on GDI windows</span></li></ul></li><li><a name="volatility.plugins.modscan.ModScan"></a><a href="volatility.plugins.modscan.ModScan.html">volatility.plugins.modscan.ModScan</a> - <span>Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects</span><ul><li><a name="volatility.plugins.modscan.ThrdScan"></a><a href="volatility.plugins.modscan.ThrdScan.html">volatility.plugins.modscan.ThrdScan</a> - <span>Scan physical memory for _ETHREAD objects</span></li></ul></li></ul></li><li><a name="volatility.plugins.filescan.PSScan"></a><a href="volatility.plugins.filescan.PSScan.html">volatility.plugins.filescan.PSScan</a> - <span>Scan Physical memory for _EPROCESS pool allocations</span></li><li><a name="volatility.plugins.getservicesids.GetServiceSids"></a><a href="volatility.plugins.getservicesids.GetServiceSids.html">volatility.plugins.getservicesids.GetServiceSids</a> - <span>Get the names of services in the Registry and return Calculated SID</span></li><li><a name="volatility.plugins.gui.atoms.Atoms"></a><a href="volatility.plugins.gui.atoms.Atoms.html">volatility.plugins.gui.atoms.Atoms</a> - <span>Print session and window station atom tables</span><ul><li><a name="volatility.plugins.gui.messagehooks.MessageHooks"></a><a href="volatility.plugins.gui.messagehooks.MessageHooks.html">volatility.plugins.gui.messagehooks.MessageHooks</a> - <span>List desktop and thread window message hooks</span><ul><li><a name="volatility.plugins.gui.windows.Windows"></a><a href="volatility.plugins.gui.windows.Windows.html">volatility.plugins.gui.windows.Windows</a> - <span>Print Desktop Windows (verbose details)</span></li><li><a name="volatility.plugins.gui.windows.WinTree"></a><a href="volatility.plugins.gui.windows.WinTree.html">volatility.plugins.gui.windows.WinTree</a> - <span>Print Z-Order Desktop Windows Tree</span></li></ul></li></ul></li><li><a name="volatility.plugins.gui.atoms.AtomScan"></a><a href="volatility.plugins.gui.atoms.AtomScan.html">volatility.plugins.gui.atoms.AtomScan</a> - <span>Pool scanner for _RTL_ATOM_TABLE</span></li><li><a name="volatility.plugins.gui.clipboard.Clipboard"></a><a href="volatility.plugins.gui.clipboard.Clipboard.html">volatility.plugins.gui.clipboard.Clipboard</a> - <span>Extract the contents of the windows clipboard</span></li><li><a name="volatility.plugins.gui.gditimers.GDITimers"></a><a href="volatility.plugins.gui.gditimers.GDITimers.html">volatility.plugins.gui.gditimers.GDITimers</a> - <span>Print installed GDI timers and callbacks</span></li><li><a name="volatility.plugins.gui.sessions.Sessions"></a><a href="volatility.plugins.gui.sessions.Sessions.html">volatility.plugins.gui.sessions.Sessions</a> - <span>List details on _MM_SESSION_SPACE (user logon sessions)</span><ul><li><a name="volatility.plugins.gui.eventhooks.EventHooks"></a><a href="volatility.plugins.gui.eventhooks.EventHooks.html">volatility.plugins.gui.eventhooks.EventHooks</a> - <span>Print details on windows event hooks</span></li><li><a name="volatility.plugins.gui.gahti.Gahti"></a><a href="volatility.plugins.gui.gahti.Gahti.html">volatility.plugins.gui.gahti.Gahti</a> - <span>Dump the USER handle type information</span></li><li><a name="volatility.plugins.gui.userhandles.UserHandles"></a><a href="volatility.plugins.gui.userhandles.UserHandles.html">volatility.plugins.gui.userhandles.UserHandles</a> - <span>Dump the USER handle tables</span></li></ul></li><li><a name="volatility.plugins.hibinfo.HibInfo"></a><a href="volatility.plugins.hibinfo.HibInfo.html">volatility.plugins.hibinfo.HibInfo</a> - <span>Dump hibernation file information</span></li><li><a name="volatility.plugins.imagecopy.ImageCopy"></a><a href="volatility.plugins.imagecopy.ImageCopy.html">volatility.plugins.imagecopy.ImageCopy</a> - <span>Copies a physical address space out as a raw DD image</span><ul><li><a name="volatility.plugins.raw2dmp.Raw2dmp"></a><a href="volatility.plugins.raw2dmp.Raw2dmp.html">volatility.plugins.raw2dmp.Raw2dmp</a> - <span>Converts a physical memory sample to a windbg crash dump</span></li></ul></li><li><a name="volatility.plugins.kdbgscan.KDBGScan"></a><a href="volatility.plugins.kdbgscan.KDBGScan.html">volatility.plugins.kdbgscan.KDBGScan</a> - <span>Search for and dump potential KDBG values</span><ul><li><a name="volatility.plugins.imageinfo.ImageInfo"></a><a href="volatility.plugins.imageinfo.ImageInfo.html">volatility.plugins.imageinfo.ImageInfo</a> - <span>Identify information for the image</span></li></ul></li><li><a name="volatility.plugins.kpcrscan.KPCRScan"></a><a href="volatility.plugins.kpcrscan.KPCRScan.html">volatility.plugins.kpcrscan.KPCRScan</a> - <span>Search for and dump potential KPCR values</span></li><li><a name="volatility.plugins.malware.callbacks.Callbacks"></a><a href="volatility.plugins.malware.callbacks.Callbacks.html">volatility.plugins.malware.callbacks.Callbacks</a> - <span>Print system-wide notification routines</span></li><li><a name="volatility.plugins.malware.cmdhistory.CmdScan"></a><a href="volatility.plugins.malware.cmdhistory.CmdScan.html">volatility.plugins.malware.cmdhistory.CmdScan</a> - <span>Extract command history by scanning for _COMMAND_HISTORY</span><ul><li><a name="volatility.plugins.malware.cmdhistory.Consoles"></a><a href="volatility.plugins.malware.cmdhistory.Consoles.html">volatility.plugins.malware.cmdhistory.Consoles</a> - <span>Extract command history by scanning for _CONSOLE_INFORMATION</span></li></ul></li><li><a name="volatility.plugins.malware.idt.GDT"></a><a href="volatility.plugins.malware.idt.GDT.html">volatility.plugins.malware.idt.GDT</a> - <span>Display Global Descriptor Table</span></li><li><a name="volatility.plugins.malware.idt.IDT"></a><a href="volatility.plugins.malware.idt.IDT.html">volatility.plugins.malware.idt.IDT</a> - <span>Display Interrupt Descriptor Table</span></li><li><a name="volatility.plugins.malware.impscan.ImpScan"></a><a href="volatility.plugins.malware.impscan.ImpScan.html">volatility.plugins.malware.impscan.ImpScan</a> - <span>Scan for calls to imported functions</span></li><li><a name="volatility.plugins.malware.psxview.PsXview"></a><a href="volatility.plugins.malware.psxview.PsXview.html">volatility.plugins.malware.psxview.PsXview</a> - <span>Find hidden processes with various process listings</span></li><li><a name="volatility.plugins.malware.svcscan.SvcScan"></a><a href="volatility.plugins.malware.svcscan.SvcScan.html">volatility.plugins.malware.svcscan.SvcScan</a> - <span>Scan for Windows services</span></li><li><a name="volatility.plugins.malware.timers.Timers"></a><a href="volatility.plugins.malware.timers.Timers.html">volatility.plugins.malware.timers.Timers</a> - <span>Print kernel timers and associated module DPCs</span></li><li><a name="volatility.plugins.modules.Modules"></a><a href="volatility.plugins.modules.Modules.html">volatility.plugins.modules.Modules</a> - <span>Print list of loaded modules</span></li><li><a name="volatility.plugins.netscan.Netscan"></a><a href="volatility.plugins.netscan.Netscan.html">volatility.plugins.netscan.Netscan</a> - <span>Scan a Vista, 2008 or Windows 7 image for connections and sockets</span></li><li><a name="volatility.plugins.pstree.PSTree"></a><a href="volatility.plugins.pstree.PSTree.html">volatility.plugins.pstree.PSTree</a> - <span>Print process list as a tree</span></li><li><a name="volatility.plugins.registry.hivescan.HiveScan"></a><a href="volatility.plugins.registry.hivescan.HiveScan.html">volatility.plugins.registry.hivescan.HiveScan</a> - <span>Scan Physical memory for _CMHIVE objects (registry hives)</span><ul><li><a name="volatility.plugins.registry.hivelist.HiveList"></a><a href="volatility.plugins.registry.hivelist.HiveList.html">volatility.plugins.registry.hivelist.HiveList</a> - <span>Print list of registry hives.</span><ul><li><a name="volatility.plugins.registry.printkey.PrintKey"></a><a href="volatility.plugins.registry.printkey.PrintKey.html">volatility.plugins.registry.printkey.PrintKey</a> - <span>Print a registry key, and its subkeys and values</span><ul><li><a name="volatility.plugins.userassist.UserAssist"></a><a href="volatility.plugins.userassist.UserAssist.html">volatility.plugins.userassist.UserAssist</a> - <span>Print userassist registry keys and information</span></li></ul></li><li><a href="volatility.plugins.userassist.UserAssist.html">volatility.plugins.userassist.UserAssist</a> - <span>Print userassist registry keys and information</span></li></ul></li></ul></li><li><a name="volatility.plugins.registry.lsadump.HashDump"></a><a href="volatility.plugins.registry.lsadump.HashDump.html">volatility.plugins.registry.lsadump.HashDump</a> - <span>Dumps passwords hashes (LM/NTLM) from memory</span></li><li><a name="volatility.plugins.registry.lsadump.LSADump"></a><a href="volatility.plugins.registry.lsadump.LSADump.html">volatility.plugins.registry.lsadump.LSADump</a> - <span>Dump (decrypted) LSA secrets from the registry</span></li><li><a name="volatility.plugins.registry.printkey.HiveDump"></a><a href="volatility.plugins.registry.printkey.HiveDump.html">volatility.plugins.registry.printkey.HiveDump</a> - <span>Prints out a hive</span></li><li><a name="volatility.plugins.sockets.Sockets"></a><a href="volatility.plugins.sockets.Sockets.html">volatility.plugins.sockets.Sockets</a> - <span>Print list of open sockets</span></li><li><a name="volatility.plugins.sockscan.SockScan"></a><a href="volatility.plugins.sockscan.SockScan.html">volatility.plugins.sockscan.SockScan</a> - <span>Scan Physical memory for _ADDRESS_OBJECT objects (tcp sockets)</span></li><li><a name="volatility.plugins.ssdt.SSDT"></a><a href="volatility.plugins.ssdt.SSDT.html">volatility.plugins.ssdt.SSDT</a> - <span>Display SSDT entries</span></li><li><a href="volatility.plugins.taskmods.DllList.html">volatility.plugins.taskmods.DllList</a> - <span>Print list of loaded dlls for each process</span><ul><li><a href="volatility.plugins.envars.Envars.html">volatility.plugins.envars.Envars</a> - <span>Display process environment variables</span></li><li><a href="volatility.plugins.getsids.GetSIDs.html">volatility.plugins.getsids.GetSIDs</a> - <span>Print the SIDs owning each process</span></li><li><a href="volatility.plugins.handles.Handles.html">volatility.plugins.handles.Handles</a> - <span>Print list of open handles for each process</span></li><li><a href="volatility.plugins.malware.malfind.LdrModules.html">volatility.plugins.malware.malfind.LdrModules</a> - <span>Detect unlinked DLLs</span></li><li><a href="volatility.plugins.malware.malfind.YaraScan.html">volatility.plugins.malware.malfind.YaraScan</a> - <span>Scan process or kernel memory with Yara signatures</span></li><li><a href="volatility.plugins.malware.threads.Threads.html">volatility.plugins.malware.threads.Threads</a> - <span>Investigate _ETHREAD and _KTHREADs</span></li><li><a href="volatility.plugins.procdump.ProcExeDump.html">volatility.plugins.procdump.ProcExeDump</a> - <span>Dump a process to an executable file sample</span><ul><li><a href="volatility.plugins.dlldump.DLLDump.html">volatility.plugins.dlldump.DLLDump</a> - <span>Dump DLLs from a process address space</span></li><li><a href="volatility.plugins.malware.apihooks.ApiHooks.html">volatility.plugins.malware.apihooks.ApiHooks</a> - <span>Detect API hooks in process and kernel memory</span></li><li><a href="volatility.plugins.moddump.ModDump.html">volatility.plugins.moddump.ModDump</a> - <span>Dump a kernel driver to an executable file sample</span></li><li><a href="volatility.plugins.procdump.ProcMemDump.html">volatility.plugins.procdump.ProcMemDump</a> - <span>Dump a process to an executable memory sample</span></li></ul></li><li><a href="volatility.plugins.strings.Strings.html">volatility.plugins.strings.Strings</a> - <span>Match physical offsets to virtual addresses (may take a while, VERY verbose)</span></li><li><a href="volatility.plugins.taskmods.MemMap.html">volatility.plugins.taskmods.MemMap</a> - <span>Print the memory map</span><ul><li><a href="volatility.plugins.taskmods.MemDump.html">volatility.plugins.taskmods.MemDump</a> - <span>Dump the addressable memory for a process</span></li></ul></li><li><a href="volatility.plugins.taskmods.PSList.html">volatility.plugins.taskmods.PSList</a> - <span>Print all running processes by following the EPROCESS lists</span></li><li><a href="volatility.plugins.vadinfo.VADInfo.html">volatility.plugins.vadinfo.VADInfo</a> - <span>Dump the VAD info</span><ul><li><a href="volatility.plugins.vadinfo.VADDump.html">volatility.plugins.vadinfo.VADDump</a> - <span>Dumps out the vad sections to a file</span><ul><li><a href="volatility.plugins.malware.malfind.Malfind.html">volatility.plugins.malware.malfind.Malfind</a> - <span>Find hidden and injected code</span></li></ul></li><li><a href="volatility.plugins.vadinfo.VADTree.html">volatility.plugins.vadinfo.VADTree</a> - <span>Walk the VAD tree and display in tree format</span></li><li><a href="volatility.plugins.vadinfo.VADWalk.html">volatility.plugins.vadinfo.VADWalk</a> - <span>Walk the VAD tree</span></li></ul></li></ul></li><li><a name="volatility.plugins.volshell.volshell"></a><a href="volatility.plugins.volshell.volshell.html">volatility.plugins.volshell.volshell</a> - <span>Shell in the memory image</span></li></ul></li><li><a name="volatility.plugins.linux.common.AbstractLinuxCommand"></a><a href="volatility.plugins.linux.common.AbstractLinuxCommand.html">volatility.plugins.linux.common.AbstractLinuxCommand</a> - <span class="undocumented">No class docstring; 2/15 methods, 0/1 static methods documented</span><ul><li><a name="volatility.plugins.linux.arp.linux_arp"></a><a href="volatility.plugins.linux.arp.linux_arp.html">volatility.plugins.linux.arp.linux_arp</a> - <span>Print the ARP table</span></li><li><a name="volatility.plugins.linux.check_afinfo.linux_check_afinfo"></a><a href="volatility.plugins.linux.check_afinfo.linux_check_afinfo.html">volatility.plugins.linux.check_afinfo.linux_check_afinfo</a> - <span>Verifies the operation function pointers of network protocols</span></li><li><a name="volatility.plugins.linux.check_fops.linux_check_fop"></a><a href="volatility.plugins.linux.check_fops.linux_check_fop.html">volatility.plugins.linux.check_fops.linux_check_fop</a> - <span>Check file operation structures for rootkit modifications</span></li><li><a name="volatility.plugins.linux.check_idt.linux_check_idt"></a><a href="volatility.plugins.linux.check_idt.linux_check_idt.html">volatility.plugins.linux.check_idt.linux_check_idt</a> - <span>Checks if the IDT has been altered</span></li><li><a name="volatility.plugins.linux.check_modules.linux_check_modules"></a><a href="volatility.plugins.linux.check_modules.linux_check_modules.html">volatility.plugins.linux.check_modules.linux_check_modules</a> - <span>Compares module list to sysfs info, if available</span></li><li><a name="volatility.plugins.linux.check_syscall.linux_check_syscall"></a><a href="volatility.plugins.linux.check_syscall.linux_check_syscall.html">volatility.plugins.linux.check_syscall.linux_check_syscall</a> - <span>Checks if the system call table has been altered</span></li><li><a name="volatility.plugins.linux.cpuinfo.linux_cpuinfo"></a><a href="volatility.plugins.linux.cpuinfo.linux_cpuinfo.html">volatility.plugins.linux.cpuinfo.linux_cpuinfo</a> - <span>Prints info about each active processor</span></li><li><a name="volatility.plugins.linux.dentry_cache.linux_dentry_cache"></a><a href="volatility.plugins.linux.dentry_cache.linux_dentry_cache.html">volatility.plugins.linux.dentry_cache.linux_dentry_cache</a> - <span>Gather files from the dentry cache</span></li><li><a name="volatility.plugins.linux.dmesg.linux_dmesg"></a><a href="volatility.plugins.linux.dmesg.linux_dmesg.html">volatility.plugins.linux.dmesg.linux_dmesg</a> - <span>Gather dmesg buffer</span></li><li><a name="volatility.plugins.linux.dump_map.linux_dump_map"></a><a href="volatility.plugins.linux.dump_map.linux_dump_map.html">volatility.plugins.linux.dump_map.linux_dump_map</a> - <span>Writes selected memory mappings to disk</span></li><li><a name="volatility.plugins.linux.find_file.linux_find_file"></a><a href="volatility.plugins.linux.find_file.linux_find_file.html">volatility.plugins.linux.find_file.linux_find_file</a> - <span>Recovers tmpfs filesystems from memory</span></li><li><a name="volatility.plugins.linux.ifconfig.linux_ifconfig"></a><a href="volatility.plugins.linux.ifconfig.linux_ifconfig.html">volatility.plugins.linux.ifconfig.linux_ifconfig</a> - <span>Gathers active interfaces</span></li><li><a name="volatility.plugins.linux.iomem.linux_iomem"></a><a href="volatility.plugins.linux.iomem.linux_iomem.html">volatility.plugins.linux.iomem.linux_iomem</a> - <span>Provides output similar to /proc/iomem</span></li><li><a name="volatility.plugins.linux.lsmod.linux_lsmod"></a><a href="volatility.plugins.linux.lsmod.linux_lsmod.html">volatility.plugins.linux.lsmod.linux_lsmod</a> - <span>Gather loaded kernel modules</span></li><li><a name="volatility.plugins.linux.mount.linux_mount"></a><a href="volatility.plugins.linux.mount.linux_mount.html">volatility.plugins.linux.mount.linux_mount</a> - <span>Gather mounted fs/devices</span><ul><li><a name="volatility.plugins.linux.mount_cache.linux_mount_cache"></a><a href="volatility.plugins.linux.mount_cache.linux_mount_cache.html">volatility.plugins.linux.mount_cache.linux_mount_cache</a> - <span>Gather mounted fs/devices from kmem_cache</span></li></ul></li><li><a name="volatility.plugins.linux.netstat.linux_netstat"></a><a href="volatility.plugins.linux.netstat.linux_netstat.html">volatility.plugins.linux.netstat.linux_netstat</a> - <span>Lists open sockets</span><ul><li><a name="volatility.plugins.linux.pkt_queues.linux_pkt_queues"></a><a href="volatility.plugins.linux.pkt_queues.linux_pkt_queues.html">volatility.plugins.linux.pkt_queues.linux_pkt_queues</a> - <span>Writes per-process packet queues out to disk</span></li></ul></li><li><a name="volatility.plugins.linux.pslist.linux_pslist"></a><a href="volatility.plugins.linux.pslist.linux_pslist.html">volatility.plugins.linux.pslist.linux_pslist</a> - <span>Gather active tasks by walking the task_struct-&gt;task list</span><ul><li><a name="volatility.plugins.linux.bash.linux_bash"></a><a href="volatility.plugins.linux.bash.linux_bash.html">volatility.plugins.linux.bash.linux_bash</a> - <span>Recover bash history from bash process memory</span></li><li><a name="volatility.plugins.linux.check_creds.linux_check_creds"></a><a href="volatility.plugins.linux.check_creds.linux_check_creds.html">volatility.plugins.linux.check_creds.linux_check_creds</a> - <span>Checks if any processes are sharing credential structures</span></li><li><a name="volatility.plugins.linux.lsof.linux_lsof"></a><a href="volatility.plugins.linux.lsof.linux_lsof.html">volatility.plugins.linux.lsof.linux_lsof</a> - <span>Lists open files</span></li><li><a name="volatility.plugins.linux.pidhashtable.linux_pidhashtable"></a><a href="volatility.plugins.linux.pidhashtable.linux_pidhashtable.html">volatility.plugins.linux.pidhashtable.linux_pidhashtable</a> - <span>Enumerates processes through the PID hash table</span></li><li><a name="volatility.plugins.linux.proc_maps.linux_proc_maps"></a><a href="volatility.plugins.linux.proc_maps.linux_proc_maps.html">volatility.plugins.linux.proc_maps.linux_proc_maps</a> - <span>Gathers process maps for linux</span></li><li><a name="volatility.plugins.linux.psaux.linux_psaux"></a><a href="volatility.plugins.linux.psaux.linux_psaux.html">volatility.plugins.linux.psaux.linux_psaux</a> - <span>Gathers processes along with full command line and start time</span></li><li><a name="volatility.plugins.linux.pslist.linux_memmap"></a><a href="volatility.plugins.linux.pslist.linux_memmap.html">volatility.plugins.linux.pslist.linux_memmap</a> - <span>Dumps the memory map for linux tasks</span></li><li><a name="volatility.plugins.linux.pslist_cache.linux_pslist_cache"></a><a href="volatility.plugins.linux.pslist_cache.linux_pslist_cache.html">volatility.plugins.linux.pslist_cache.linux_pslist_cache</a> - <span>Gather tasks from the kmem_cache</span></li><li><a name="volatility.plugins.linux.pstree.linux_pstree"></a><a href="volatility.plugins.linux.pstree.linux_pstree.html">volatility.plugins.linux.pstree.linux_pstree</a> - <span>Shows the parent/child relationship between processes</span></li></ul></li><li><a name="volatility.plugins.linux.psxview.linux_psxview"></a><a href="volatility.plugins.linux.psxview.linux_psxview.html">volatility.plugins.linux.psxview.linux_psxview</a> - <span>Find hidden processes with various process listings</span></li><li><a name="volatility.plugins.linux.route_cache.linux_route_cache"></a><a href="volatility.plugins.linux.route_cache.linux_route_cache.html">volatility.plugins.linux.route_cache.linux_route_cache</a> - <span>Recovers the routing cache from memory</span></li><li><a name="volatility.plugins.linux.sk_buff_cache.linux_sk_buff_cache"></a><a href="volatility.plugins.linux.sk_buff_cache.linux_sk_buff_cache.html">volatility.plugins.linux.sk_buff_cache.linux_sk_buff_cache</a> - <span>Recovers packets from the sk_buff kmem_cache</span></li><li><a name="volatility.plugins.linux.slab_info.linux_slabinfo"></a><a href="volatility.plugins.linux.slab_info.linux_slabinfo.html">volatility.plugins.linux.slab_info.linux_slabinfo</a> - <span>Mimics /proc/slabinfo on a running machine</span></li><li><a name="volatility.plugins.linux.tmpfs.linux_tmpfs"></a><a href="volatility.plugins.linux.tmpfs.linux_tmpfs.html">volatility.plugins.linux.tmpfs.linux_tmpfs</a> - <span>Recovers tmpfs filesystems from memory</span></li><li><a name="volatility.plugins.linux.vma_cache.linux_vma_cache"></a><a href="volatility.plugins.linux.vma_cache.linux_vma_cache.html">volatility.plugins.linux.vma_cache.linux_vma_cache</a> - <span>Gather VMAs from the vm_area_struct cache</span></li></ul></li><li><a name="volatility.plugins.patcher.Patcher"></a><a href="volatility.plugins.patcher.Patcher.html">volatility.plugins.patcher.Patcher</a> - <span>Patches memory based on page scans</span></li><li><a name="volatility.plugins.registry.shimcache.ShimCache"></a><a href="volatility.plugins.registry.shimcache.ShimCache.html">volatility.plugins.registry.shimcache.ShimCache</a> - <span>Parses the Application Compatibility Shim Cache registry key</span></li></ul></li><li><a name="volatility.conf.ConfObject"></a><a href="volatility.conf.ConfObject.html">volatility.conf.ConfObject</a> - <span>This is a singleton class to manage the configuration.</span><ul><li><a name="volatility.conf.DummyConfig"></a><a href="volatility.conf.DummyConfig.html">volatility.conf.DummyConfig</a> - <span class="undocumented">Undocumented</span></li></ul></li><li><a name="volatility.dwarf.DWARFParser"></a><a href="volatility.dwarf.DWARFParser.html">volatility.dwarf.DWARFParser</a> - <span>A parser for DWARF files.</span></li><li><a name="volatility.fmtspec.FormatSpec"></a><a href="volatility.fmtspec.FormatSpec.html">volatility.fmtspec.FormatSpec</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.obj.BaseObject"></a><a href="volatility.obj.BaseObject.html">volatility.obj.BaseObject</a> - <span class="undocumented">No class docstring; 8/30 methods documented</span><ul><li><a name="volatility.obj.Array"></a><a href="volatility.obj.Array.html">volatility.obj.Array</a> - <span>An array of objects of the same size</span></li><li><a name="volatility.obj.CType"></a><a href="volatility.obj.CType.html">volatility.obj.CType</a> - <span>A CType is an object which represents a c struct</span><ul><li><a name="volatility.plugins.evtlogs.EVTRecordStruct"></a><a href="volatility.plugins.evtlogs.EVTRecordStruct.html">volatility.plugins.evtlogs.EVTRecordStruct</a> - <span>A class for event log records</span></li><li><a name="volatility.plugins.gui.win32k_core._HANDLEENTRY"></a><a href="volatility.plugins.gui.win32k_core._HANDLEENTRY.html">volatility.plugins.gui.win32k_core._HANDLEENTRY</a> - <span>A for USER handle entries</span></li><li><a name="volatility.plugins.gui.win32k_core._MM_SESSION_SPACE"></a><a href="volatility.plugins.gui.win32k_core._MM_SESSION_SPACE.html">volatility.plugins.gui.win32k_core._MM_SESSION_SPACE</a> - <span>A class for session spaces</span><ul><li><a name="volatility.plugins.gui.vtypes.win7._MM_SESSION_SPACE"></a><a href="volatility.plugins.gui.vtypes.win7._MM_SESSION_SPACE.html">volatility.plugins.gui.vtypes.win7._MM_SESSION_SPACE</a> - <span>A class for session spaces on Windows 7</span></li></ul></li><li><a name="volatility.plugins.gui.win32k_core._RTL_ATOM_TABLE_ENTRY"></a><a href="volatility.plugins.gui.win32k_core._RTL_ATOM_TABLE_ENTRY.html">volatility.plugins.gui.win32k_core._RTL_ATOM_TABLE_ENTRY</a> - <span>A class for atom table entries</span></li><li><a name="volatility.plugins.gui.win32k_core.tagCLIPDATA"></a><a href="volatility.plugins.gui.win32k_core.tagCLIPDATA.html">volatility.plugins.gui.win32k_core.tagCLIPDATA</a> - <span>A class for clipboard objects</span></li><li><a name="volatility.plugins.gui.win32k_core.tagEVENTHOOK"></a><a href="volatility.plugins.gui.win32k_core.tagEVENTHOOK.html">volatility.plugins.gui.win32k_core.tagEVENTHOOK</a> - <span>A class for event hooks</span></li><li><a name="volatility.plugins.gui.win32k_core.tagHOOK"></a><a href="volatility.plugins.gui.win32k_core.tagHOOK.html">volatility.plugins.gui.win32k_core.tagHOOK</a> - <span>A class for message hooks</span></li><li><a name="volatility.plugins.gui.win32k_core.tagRECT"></a><a href="volatility.plugins.gui.win32k_core.tagRECT.html">volatility.plugins.gui.win32k_core.tagRECT</a> - <span>A class for window rects</span></li><li><a name="volatility.plugins.gui.win32k_core.tagSHAREDINFO"></a><a href="volatility.plugins.gui.win32k_core.tagSHAREDINFO.html">volatility.plugins.gui.win32k_core.tagSHAREDINFO</a> - <span>A class for shared info blocks</span><ul><li><a name="volatility.plugins.gui.vtypes.win7.tagSHAREDINFO"></a><a href="volatility.plugins.gui.vtypes.win7.tagSHAREDINFO.html">volatility.plugins.gui.vtypes.win7.tagSHAREDINFO</a> - <span>A class for shared info blocks on Windows 7</span></li></ul></li><li><a name="volatility.plugins.gui.win32k_core.tagWINDOWSTATION"></a><a href="volatility.plugins.gui.win32k_core.tagWINDOWSTATION.html">volatility.plugins.gui.win32k_core.tagWINDOWSTATION</a> - <span>A class for Windowstation objects</span><ul><li><a name="volatility.plugins.gui.win32k_core._RTL_ATOM_TABLE"></a><a href="volatility.plugins.gui.win32k_core._RTL_ATOM_TABLE.html">volatility.plugins.gui.win32k_core._RTL_ATOM_TABLE</a> - <span>A class for atom tables</span></li><li><a name="volatility.plugins.gui.win32k_core.tagDESKTOP"></a><a href="volatility.plugins.gui.win32k_core.tagDESKTOP.html">volatility.plugins.gui.win32k_core.tagDESKTOP</a> - <span>A class for Desktop objects</span><ul><li><a name="volatility.plugins.gui.win32k_core.tagTHREADINFO"></a><a href="volatility.plugins.gui.win32k_core.tagTHREADINFO.html">volatility.plugins.gui.win32k_core.tagTHREADINFO</a> - <span>A class for thread information objects</span></li></ul></li></ul></li><li><a name="volatility.plugins.gui.win32k_core.tagWND"></a><a href="volatility.plugins.gui.win32k_core.tagWND.html">volatility.plugins.gui.win32k_core.tagWND</a> - <span>A class for window structures</span></li><li><a name="volatility.plugins.linux.slab_info.kmem_cache"></a><a href="volatility.plugins.linux.slab_info.kmem_cache.html">volatility.plugins.linux.slab_info.kmem_cache</a> - <span class="undocumented">Undocumented</span><ul><li><a name="volatility.plugins.linux.slab_info.kmem_cache_slab"></a><a href="volatility.plugins.linux.slab_info.kmem_cache_slab.html">volatility.plugins.linux.slab_info.kmem_cache_slab</a> - <span class="undocumented">Undocumented</span></li></ul></li><li><a name="volatility.plugins.malware.callbacks._SHUTDOWN_PACKET"></a><a href="volatility.plugins.malware.callbacks._SHUTDOWN_PACKET.html">volatility.plugins.malware.callbacks._SHUTDOWN_PACKET</a> - <span>Class for shutdown notification callbacks</span></li><li><a name="volatility.plugins.malware.cmdhistory._COMMAND_HISTORY"></a><a href="volatility.plugins.malware.cmdhistory._COMMAND_HISTORY.html">volatility.plugins.malware.cmdhistory._COMMAND_HISTORY</a> - <span>object class for command histories</span></li><li><a name="volatility.plugins.malware.cmdhistory._CONSOLE_INFORMATION"></a><a href="volatility.plugins.malware.cmdhistory._CONSOLE_INFORMATION.html">volatility.plugins.malware.cmdhistory._CONSOLE_INFORMATION</a> - <span>object class for console information structs</span></li><li><a name="volatility.plugins.malware.cmdhistory._CONSOLE_PROCESS"></a><a href="volatility.plugins.malware.cmdhistory._CONSOLE_PROCESS.html">volatility.plugins.malware.cmdhistory._CONSOLE_PROCESS</a> - <span>object class for console process</span></li><li><a name="volatility.plugins.malware.cmdhistory._EXE_ALIAS_LIST"></a><a href="volatility.plugins.malware.cmdhistory._EXE_ALIAS_LIST.html">volatility.plugins.malware.cmdhistory._EXE_ALIAS_LIST</a> - <span>object class for alias lists</span></li><li><a name="volatility.plugins.malware.cmdhistory._SCREEN_INFORMATION"></a><a href="volatility.plugins.malware.cmdhistory._SCREEN_INFORMATION.html">volatility.plugins.malware.cmdhistory._SCREEN_INFORMATION</a> - <span>object class for screen information</span></li><li><a name="volatility.plugins.malware.devicetree._DEVICE_OBJECT"></a><a href="volatility.plugins.malware.devicetree._DEVICE_OBJECT.html">volatility.plugins.malware.devicetree._DEVICE_OBJECT</a> - <span>Class for device objects</span></li><li><a name="volatility.plugins.malware.devicetree._DRIVER_OBJECT"></a><a href="volatility.plugins.malware.devicetree._DRIVER_OBJECT.html">volatility.plugins.malware.devicetree._DRIVER_OBJECT</a> - <span>Class for driver objects</span></li><li><a name="volatility.plugins.malware.idt._KGDTENTRY"></a><a href="volatility.plugins.malware.idt._KGDTENTRY.html">volatility.plugins.malware.idt._KGDTENTRY</a> - <span>A class for GDT entries</span></li><li><a name="volatility.plugins.malware.idt._KIDTENTRY"></a><a href="volatility.plugins.malware.idt._KIDTENTRY.html">volatility.plugins.malware.idt._KIDTENTRY</a> - <span>Class for interrupt descriptors</span></li><li><a name="volatility.plugins.malware.svcscan._SERVICE_HEADER"></a><a href="volatility.plugins.malware.svcscan._SERVICE_HEADER.html">volatility.plugins.malware.svcscan._SERVICE_HEADER</a> - <span>Service headers for 2008, Vista, 7 x86 and x64</span></li><li><a name="volatility.plugins.malware.svcscan._SERVICE_RECORD_LEGACY"></a><a href="volatility.plugins.malware.svcscan._SERVICE_RECORD_LEGACY.html">volatility.plugins.malware.svcscan._SERVICE_RECORD_LEGACY</a> - <span>Service records for XP/2003 x86 and x64</span><ul><li><a name="volatility.plugins.malware.svcscan._SERVICE_RECORD_RECENT"></a><a href="volatility.plugins.malware.svcscan._SERVICE_RECORD_RECENT.html">volatility.plugins.malware.svcscan._SERVICE_RECORD_RECENT</a> - <span>Service records for 2008, Vista, 7 x86 and x64</span></li></ul></li><li><a name="volatility.plugins.netscan._TCP_LISTENER"></a><a href="volatility.plugins.netscan._TCP_LISTENER.html">volatility.plugins.netscan._TCP_LISTENER</a> - <span>Class for objects found in TcpL pools</span><ul><li><a name="volatility.plugins.netscan._TCP_ENDPOINT"></a><a href="volatility.plugins.netscan._TCP_ENDPOINT.html">volatility.plugins.netscan._TCP_ENDPOINT</a> - <span>Class for objects found in TcpE pools</span></li><li><a name="volatility.plugins.netscan._UDP_ENDPOINT"></a><a href="volatility.plugins.netscan._UDP_ENDPOINT.html">volatility.plugins.netscan._UDP_ENDPOINT</a> - <span>Class for objects found in UdpA pools</span></li></ul></li><li><a name="volatility.plugins.overlays.basic.VOLATILITY_MAGIC"></a><a href="volatility.plugins.overlays.basic.VOLATILITY_MAGIC.html">volatility.plugins.overlays.basic.VOLATILITY_MAGIC</a> - <span>Class representing a VOLATILITY_MAGIC namespace</span></li><li><a name="volatility.plugins.overlays.linux.linux.desc_struct"></a><a href="volatility.plugins.overlays.linux.linux.desc_struct.html">volatility.plugins.overlays.linux.linux.desc_struct</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.linux.linux.files_struct"></a><a href="volatility.plugins.overlays.linux.linux.files_struct.html">volatility.plugins.overlays.linux.linux.files_struct</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.linux.linux.gate_struct64"></a><a href="volatility.plugins.overlays.linux.linux.gate_struct64.html">volatility.plugins.overlays.linux.linux.gate_struct64</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.linux.linux.hlist_node"></a><a href="volatility.plugins.overlays.linux.linux.hlist_node.html">volatility.plugins.overlays.linux.linux.hlist_node</a> - <span>A hlist_node makes a doubly linked list.</span></li><li><a name="volatility.plugins.overlays.linux.linux.kernel_param"></a><a href="volatility.plugins.overlays.linux.linux.kernel_param.html">volatility.plugins.overlays.linux.linux.kernel_param</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.linux.linux.kparam_array"></a><a href="volatility.plugins.overlays.linux.linux.kparam_array.html">volatility.plugins.overlays.linux.linux.kparam_array</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.linux.linux.linux_file"></a><a href="volatility.plugins.overlays.linux.linux.linux_file.html">volatility.plugins.overlays.linux.linux.linux_file</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.linux.linux.linux_fs_struct"></a><a href="volatility.plugins.overlays.linux.linux.linux_fs_struct.html">volatility.plugins.overlays.linux.linux.linux_fs_struct</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.linux.linux.list_head"></a><a href="volatility.plugins.overlays.linux.linux.list_head.html">volatility.plugins.overlays.linux.linux.list_head</a> - <span>A list_head makes a doubly linked list.</span></li><li><a name="volatility.plugins.overlays.linux.linux.module_sect_attr"></a><a href="volatility.plugins.overlays.linux.linux.module_sect_attr.html">volatility.plugins.overlays.linux.linux.module_sect_attr</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.linux.linux.mount"></a><a href="volatility.plugins.overlays.linux.linux.mount.html">volatility.plugins.overlays.linux.linux.mount</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.linux.linux.net_device"></a><a href="volatility.plugins.overlays.linux.linux.net_device.html">volatility.plugins.overlays.linux.linux.net_device</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.linux.linux.page"></a><a href="volatility.plugins.overlays.linux.linux.page.html">volatility.plugins.overlays.linux.linux.page</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.linux.linux.task_struct"></a><a href="volatility.plugins.overlays.linux.linux.task_struct.html">volatility.plugins.overlays.linux.linux.task_struct</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.linux.linux.vfsmount"></a><a href="volatility.plugins.overlays.linux.linux.vfsmount.html">volatility.plugins.overlays.linux.linux.vfsmount</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.kdbg_vtypes._KDDEBUGGER_DATA64"></a><a href="volatility.plugins.overlays.windows.kdbg_vtypes._KDDEBUGGER_DATA64.html">volatility.plugins.overlays.windows.kdbg_vtypes._KDDEBUGGER_DATA64</a> - <span>A class for KDBG</span></li><li><a name="volatility.plugins.overlays.windows.kpcr_vtypes._KPCROnx86"></a><a href="volatility.plugins.overlays.windows.kpcr_vtypes._KPCROnx86.html">volatility.plugins.overlays.windows.kpcr_vtypes._KPCROnx86</a> - <span>KPCR for 32bit windows</span><ul><li><a name="volatility.plugins.overlays.windows.kpcr_vtypes._KPCROnx64"></a><a href="volatility.plugins.overlays.windows.kpcr_vtypes._KPCROnx64.html">volatility.plugins.overlays.windows.kpcr_vtypes._KPCROnx64</a> - <span>KPCR for x64 windows</span></li></ul></li><li><a name="volatility.plugins.overlays.windows.pe_vtypes._IMAGE_EXPORT_DIRECTORY"></a><a href="volatility.plugins.overlays.windows.pe_vtypes._IMAGE_EXPORT_DIRECTORY.html">volatility.plugins.overlays.windows.pe_vtypes._IMAGE_EXPORT_DIRECTORY</a> - <span>Class for PE export directory</span></li><li><a name="volatility.plugins.overlays.windows.pe_vtypes._IMAGE_IMPORT_DESCRIPTOR"></a><a href="volatility.plugins.overlays.windows.pe_vtypes._IMAGE_IMPORT_DESCRIPTOR.html">volatility.plugins.overlays.windows.pe_vtypes._IMAGE_IMPORT_DESCRIPTOR</a> - <span>Handles IID entries for imported functions</span></li><li><a name="volatility.plugins.overlays.windows.pe_vtypes._LDR_DATA_TABLE_ENTRY"></a><a href="volatility.plugins.overlays.windows.pe_vtypes._LDR_DATA_TABLE_ENTRY.html">volatility.plugins.overlays.windows.pe_vtypes._LDR_DATA_TABLE_ENTRY</a> - <span>Class for PE file / modules</span></li><li><a name="volatility.plugins.overlays.windows.win2003._MM_AVL_TABLE"></a><a href="volatility.plugins.overlays.windows.win2003._MM_AVL_TABLE.html">volatility.plugins.overlays.windows.win2003._MM_AVL_TABLE</a> - <span class="undocumented">No class docstring; 1/1 methods documented</span></li><li><a name="volatility.plugins.overlays.windows.windows._CM_KEY_BODY"></a><a href="volatility.plugins.overlays.windows.windows._CM_KEY_BODY.html">volatility.plugins.overlays.windows.windows._CM_KEY_BODY</a> - <span>Registry key</span></li><li><a name="volatility.plugins.overlays.windows.windows._EPROCESS"></a><a href="volatility.plugins.overlays.windows.windows._EPROCESS.html">volatility.plugins.overlays.windows.windows._EPROCESS</a> - <span>An extensive _EPROCESS with bells and whistles</span><ul><li><a name="volatility.plugins.malware.malfind.MalwareEPROCESS"></a><a href="volatility.plugins.malware.malfind.MalwareEPROCESS.html">volatility.plugins.malware.malfind.MalwareEPROCESS</a> - <span>Extension of the default EPROCESS with some helpers</span></li></ul></li><li><a name="volatility.plugins.overlays.windows.windows._ETHREAD"></a><a href="volatility.plugins.overlays.windows.windows._ETHREAD.html">volatility.plugins.overlays.windows.windows._ETHREAD</a> - <span>A class for threads</span><ul><li><a name="volatility.plugins.overlays.windows.vista._ETHREAD"></a><a href="volatility.plugins.overlays.windows.vista._ETHREAD.html">volatility.plugins.overlays.windows.vista._ETHREAD</a> - <span>A class for Windows 7 ETHREAD objects</span></li></ul></li><li><a name="volatility.plugins.overlays.windows.windows._EX_FAST_REF"></a><a href="volatility.plugins.overlays.windows.windows._EX_FAST_REF.html">volatility.plugins.overlays.windows.windows._EX_FAST_REF</a> - <span class="undocumented">No class docstring; 1/1 methods documented</span><ul><li><a name="volatility.plugins.overlays.windows.windows64._EX_FAST_REF"></a><a href="volatility.plugins.overlays.windows.windows64._EX_FAST_REF.html">volatility.plugins.overlays.windows.windows64._EX_FAST_REF</a> - <span class="undocumented">Undocumented</span></li></ul></li><li><a name="volatility.plugins.overlays.windows.windows._FILE_OBJECT"></a><a href="volatility.plugins.overlays.windows.windows._FILE_OBJECT.html">volatility.plugins.overlays.windows.windows._FILE_OBJECT</a> - <span>Class for file objects</span></li><li><a name="volatility.plugins.overlays.windows.windows._HANDLE_TABLE"></a><a href="volatility.plugins.overlays.windows.windows._HANDLE_TABLE.html">volatility.plugins.overlays.windows.windows._HANDLE_TABLE</a> - <span>A class for _HANDLE_TABLE.</span><ul><li><a name="volatility.plugins.malware.psxview._PSP_CID_TABLE"></a><a href="volatility.plugins.malware.psxview._PSP_CID_TABLE.html">volatility.plugins.malware.psxview._PSP_CID_TABLE</a> - <span>Subclass the Windows handle table object for parsing PspCidTable</span></li></ul></li><li><a name="volatility.plugins.overlays.windows.windows._IMAGE_DOS_HEADER"></a><a href="volatility.plugins.overlays.windows.windows._IMAGE_DOS_HEADER.html">volatility.plugins.overlays.windows.windows._IMAGE_DOS_HEADER</a> - <span>DOS header</span></li><li><a name="volatility.plugins.overlays.windows.windows._IMAGE_NT_HEADERS"></a><a href="volatility.plugins.overlays.windows.windows._IMAGE_NT_HEADERS.html">volatility.plugins.overlays.windows.windows._IMAGE_NT_HEADERS</a> - <span>PE header</span></li><li><a name="volatility.plugins.overlays.windows.windows._IMAGE_SECTION_HEADER"></a><a href="volatility.plugins.overlays.windows.windows._IMAGE_SECTION_HEADER.html">volatility.plugins.overlays.windows.windows._IMAGE_SECTION_HEADER</a> - <span>PE section</span></li><li><a name="volatility.plugins.overlays.windows.windows._LIST_ENTRY"></a><a href="volatility.plugins.overlays.windows.windows._LIST_ENTRY.html">volatility.plugins.overlays.windows.windows._LIST_ENTRY</a> - <span>Adds iterators for _LIST_ENTRY types</span></li><li><a name="volatility.plugins.overlays.windows.windows._MMVAD"></a><a href="volatility.plugins.overlays.windows.windows._MMVAD.html">volatility.plugins.overlays.windows.windows._MMVAD</a> - <span>Class factory for _MMVAD objects</span></li><li><a name="volatility.plugins.overlays.windows.windows._MMVAD_FLAGS"></a><a href="volatility.plugins.overlays.windows.windows._MMVAD_FLAGS.html">volatility.plugins.overlays.windows.windows._MMVAD_FLAGS</a> - <span>This is for _MMVAD_SHORT.u.VadFlags</span><ul><li><a name="volatility.plugins.overlays.windows.windows._MMSECTION_FLAGS"></a><a href="volatility.plugins.overlays.windows.windows._MMSECTION_FLAGS.html">volatility.plugins.overlays.windows.windows._MMSECTION_FLAGS</a> - <span>This is for _CONTROL_AREA.u.Flags</span></li><li><a name="volatility.plugins.overlays.windows.windows._MMVAD_FLAGS2"></a><a href="volatility.plugins.overlays.windows.windows._MMVAD_FLAGS2.html">volatility.plugins.overlays.windows.windows._MMVAD_FLAGS2</a> - <span>This is for _MMVAD_LONG.u2.VadFlags2</span></li></ul></li><li><a name="volatility.plugins.overlays.windows.windows._MMVAD_SHORT"></a><a href="volatility.plugins.overlays.windows.windows._MMVAD_SHORT.html">volatility.plugins.overlays.windows.windows._MMVAD_SHORT</a> - <span>Class with convenience functions for _MMVAD_SHORT functions</span><ul><li><a name="volatility.plugins.overlays.windows.vista._MMVAD_SHORT"></a><a href="volatility.plugins.overlays.windows.vista._MMVAD_SHORT.html">volatility.plugins.overlays.windows.vista._MMVAD_SHORT</a> - <span class="undocumented">Undocumented</span><ul><li><a name="volatility.plugins.overlays.windows.vista._MMVAD_LONG"></a><a href="volatility.plugins.overlays.windows.vista._MMVAD_LONG.html">volatility.plugins.overlays.windows.vista._MMVAD_LONG</a> - <span class="undocumented">Undocumented</span></li></ul></li><li><a name="volatility.plugins.overlays.windows.win2003._MMVAD_SHORT"></a><a href="volatility.plugins.overlays.windows.win2003._MMVAD_SHORT.html">volatility.plugins.overlays.windows.win2003._MMVAD_SHORT</a> - <span class="undocumented">No class docstring; 1/1 methods documented</span><ul><li><a name="volatility.plugins.overlays.windows.win2003._MMVAD_LONG"></a><a href="volatility.plugins.overlays.windows.win2003._MMVAD_LONG.html">volatility.plugins.overlays.windows.win2003._MMVAD_LONG</a> - <span class="undocumented">Undocumented</span></li></ul></li><li><a name="volatility.plugins.overlays.windows.windows._MMVAD_LONG"></a><a href="volatility.plugins.overlays.windows.windows._MMVAD_LONG.html">volatility.plugins.overlays.windows.windows._MMVAD_LONG</a> - <span>Subclasses _MMVAD_LONG based on _MMVAD_SHORT</span></li></ul></li><li><a name="volatility.plugins.overlays.windows.windows._OBJECT_HEADER"></a><a href="volatility.plugins.overlays.windows.windows._OBJECT_HEADER.html">volatility.plugins.overlays.windows.windows._OBJECT_HEADER</a> - <span>A Volatility object to handle Windows object headers.</span><ul><li><a name="volatility.plugins.overlays.windows.win7._OBJECT_HEADER"></a><a href="volatility.plugins.overlays.windows.win7._OBJECT_HEADER.html">volatility.plugins.overlays.windows.win7._OBJECT_HEADER</a> - <span>A Volatility object to handle Windows 7 object headers.</span></li></ul></li><li><a name="volatility.plugins.overlays.windows.windows._POOL_HEADER"></a><a href="volatility.plugins.overlays.windows.windows._POOL_HEADER.html">volatility.plugins.overlays.windows.windows._POOL_HEADER</a> - <span>A class for pool headers</span><ul><li><a name="volatility.plugins.overlays.windows.vista._POOL_HEADER"></a><a href="volatility.plugins.overlays.windows.vista._POOL_HEADER.html">volatility.plugins.overlays.windows.vista._POOL_HEADER</a> - <span>A class for pool headers</span></li></ul></li><li><a name="volatility.plugins.overlays.windows.windows._TOKEN"></a><a href="volatility.plugins.overlays.windows.windows._TOKEN.html">volatility.plugins.overlays.windows.windows._TOKEN</a> - <span>A class for Tokens</span></li><li><a name="volatility.plugins.overlays.windows.windows._UNICODE_STRING"></a><a href="volatility.plugins.overlays.windows.windows._UNICODE_STRING.html">volatility.plugins.overlays.windows.windows._UNICODE_STRING</a> - <span>Class representing a _UNICODE_STRING</span></li></ul></li><li><a name="volatility.obj.NativeType"></a><a href="volatility.obj.NativeType.html">volatility.obj.NativeType</a> - <span class="undocumented">No class docstring; 1/8 methods documented</span><ul><li><a name="volatility.obj.BitField"></a><a href="volatility.obj.BitField.html">volatility.obj.BitField</a> - <span>A class splitting an integer into a bunch of bit.</span></li><li><a name="volatility.obj.Pointer"></a><a href="volatility.obj.Pointer.html">volatility.obj.Pointer</a> - <span class="undocumented">No class docstring; 1/13 methods documented</span></li><li><a name="volatility.obj.Void"></a><a href="volatility.obj.Void.html">volatility.obj.Void</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.basic.Enumeration"></a><a href="volatility.plugins.overlays.basic.Enumeration.html">volatility.plugins.overlays.basic.Enumeration</a> - <span>Enumeration class for handling multiple possible meanings for a single value</span></li><li><a name="volatility.plugins.overlays.basic.Flags"></a><a href="volatility.plugins.overlays.basic.Flags.html">volatility.plugins.overlays.basic.Flags</a> - <span>This object decodes each flag into a string</span></li><li><a name="volatility.plugins.overlays.basic.IpAddress"></a><a href="volatility.plugins.overlays.basic.IpAddress.html">volatility.plugins.overlays.basic.IpAddress</a> - <span>Provides proper output for IpAddress objects</span></li><li><a name="volatility.plugins.overlays.basic.Ipv6Address"></a><a href="volatility.plugins.overlays.basic.Ipv6Address.html">volatility.plugins.overlays.basic.Ipv6Address</a> - <span>Provides proper output for Ipv6Address objects</span></li><li><a name="volatility.plugins.overlays.windows.windows.WinTimeStamp"></a><a href="volatility.plugins.overlays.windows.windows.WinTimeStamp.html">volatility.plugins.overlays.windows.windows.WinTimeStamp</a> - <span>Class for handling Windows Time Stamps</span><ul><li><a name="volatility.plugins.overlays.windows.windows.ThreadCreateTimeStamp"></a><a href="volatility.plugins.overlays.windows.windows.ThreadCreateTimeStamp.html">volatility.plugins.overlays.windows.windows.ThreadCreateTimeStamp</a> - <span>Handles ThreadCreateTimeStamps which are bit shifted WinTimeStamps</span></li></ul></li></ul></li><li><a name="volatility.obj.VolatilityMagic"></a><a href="volatility.obj.VolatilityMagic.html">volatility.obj.VolatilityMagic</a> - <span>Class to contain Volatility Magic value</span><ul><li><a name="volatility.plugins.overlays.basic.VolatilityDTB"></a><a href="volatility.plugins.overlays.basic.VolatilityDTB.html">volatility.plugins.overlays.basic.VolatilityDTB</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.linux.linux.VolatilityDTB"></a><a href="volatility.plugins.overlays.linux.linux.VolatilityDTB.html">volatility.plugins.overlays.linux.linux.VolatilityDTB</a> - <span>A scanner for DTB values.</span></li><li><a name="volatility.plugins.overlays.linux.linux.VolatilityLinuxValidAS"></a><a href="volatility.plugins.overlays.linux.linux.VolatilityLinuxValidAS.html">volatility.plugins.overlays.linux.linux.VolatilityLinuxValidAS</a> - <span>An object to check that an address space is a valid Arm Paged space</span></li><li><a name="volatility.plugins.overlays.linux.linux64.VolatilityDTB"></a><a href="volatility.plugins.overlays.linux.linux64.VolatilityDTB.html">volatility.plugins.overlays.linux.linux64.VolatilityDTB</a> - <span>A scanner for DTB values.</span></li><li><a name="volatility.plugins.overlays.windows.windows.VolatilityIA32ValidAS"></a><a href="volatility.plugins.overlays.windows.windows.VolatilityIA32ValidAS.html">volatility.plugins.overlays.windows.windows.VolatilityIA32ValidAS</a> - <span>An object to check that an address space is a valid IA32 Paged space</span></li><li><a name="volatility.plugins.overlays.windows.windows.VolatilityKDBG"></a><a href="volatility.plugins.overlays.windows.windows.VolatilityKDBG.html">volatility.plugins.overlays.windows.windows.VolatilityKDBG</a> - <span>A Scanner for KDBG data within an address space</span></li><li><a name="volatility.plugins.overlays.windows.windows.VolatilityKPCR"></a><a href="volatility.plugins.overlays.windows.windows.VolatilityKPCR.html">volatility.plugins.overlays.windows.windows.VolatilityKPCR</a> - <span>A scanner for KPCR data within an address space</span></li><li><a name="volatility.plugins.overlays.windows.windows.VolatilityMaxAddress"></a><a href="volatility.plugins.overlays.windows.windows.VolatilityMaxAddress.html">volatility.plugins.overlays.windows.windows.VolatilityMaxAddress</a> - <span>The maximum address of a profile's underlying AS.</span></li></ul></li><li><a name="volatility.plugins.overlays.basic.String"></a><a href="volatility.plugins.overlays.basic.String.html">volatility.plugins.overlays.basic.String</a> - <span>Class for dealing with Strings</span></li></ul></li><li><a name="volatility.obj.NoneObject"></a><a href="volatility.obj.NoneObject.html">volatility.obj.NoneObject</a> - <span>A magical object which is like None but swallows bad dereferences, __getattribute__, iterators etc to return itself.</span></li><li><a name="volatility.obj.NumericProxyMixIn"></a><a href="volatility.obj.NumericProxyMixIn.html">volatility.obj.NumericProxyMixIn</a> - <span>This MixIn implements the numeric protocol</span><ul><li><a href="volatility.obj.NativeType.html">volatility.obj.NativeType</a> - <span class="undocumented">No class docstring; 1/8 methods documented</span><ul><li><a href="volatility.obj.BitField.html">volatility.obj.BitField</a> - <span>A class splitting an integer into a bunch of bit.</span></li><li><a href="volatility.obj.Pointer.html">volatility.obj.Pointer</a> - <span class="undocumented">No class docstring; 1/13 methods documented</span></li><li><a href="volatility.obj.Void.html">volatility.obj.Void</a> - <span class="undocumented">Undocumented</span></li><li><a href="volatility.plugins.overlays.basic.Enumeration.html">volatility.plugins.overlays.basic.Enumeration</a> - <span>Enumeration class for handling multiple possible meanings for a single value</span></li><li><a href="volatility.plugins.overlays.basic.Flags.html">volatility.plugins.overlays.basic.Flags</a> - <span>This object decodes each flag into a string</span></li><li><a href="volatility.plugins.overlays.basic.IpAddress.html">volatility.plugins.overlays.basic.IpAddress</a> - <span>Provides proper output for IpAddress objects</span></li><li><a href="volatility.plugins.overlays.basic.Ipv6Address.html">volatility.plugins.overlays.basic.Ipv6Address</a> - <span>Provides proper output for Ipv6Address objects</span></li><li><a href="volatility.plugins.overlays.windows.windows.WinTimeStamp.html">volatility.plugins.overlays.windows.windows.WinTimeStamp</a> - <span>Class for handling Windows Time Stamps</span><ul><li><a href="volatility.plugins.overlays.windows.windows.ThreadCreateTimeStamp.html">volatility.plugins.overlays.windows.windows.ThreadCreateTimeStamp</a> - <span>Handles ThreadCreateTimeStamps which are bit shifted WinTimeStamps</span></li></ul></li></ul></li></ul></li><li><a name="volatility.obj.Profile"></a><a href="volatility.obj.Profile.html">volatility.obj.Profile</a> - <span class="undocumented">No class docstring; 1/1 class methods, 18/20 methods documented</span><ul><li><a name="volatility.plugins.overlays.windows.vista.VistaSP0x64"></a><a href="volatility.plugins.overlays.windows.vista.VistaSP0x64.html">volatility.plugins.overlays.windows.vista.VistaSP0x64</a> - <span>A Profile for Windows Vista SP0 x64</span></li><li><a name="volatility.plugins.overlays.windows.vista.VistaSP0x86"></a><a href="volatility.plugins.overlays.windows.vista.VistaSP0x86.html">volatility.plugins.overlays.windows.vista.VistaSP0x86</a> - <span>A Profile for Windows Vista SP0 x86</span></li><li><a name="volatility.plugins.overlays.windows.vista.VistaSP1x64"></a><a href="volatility.plugins.overlays.windows.vista.VistaSP1x64.html">volatility.plugins.overlays.windows.vista.VistaSP1x64</a> - <span>A Profile for Windows Vista SP1 x64</span><ul><li><a name="volatility.plugins.overlays.windows.vista.Win2008SP1x64"></a><a href="volatility.plugins.overlays.windows.vista.Win2008SP1x64.html">volatility.plugins.overlays.windows.vista.Win2008SP1x64</a> - <span>A Profile for Windows 2008 SP1 x64</span></li></ul></li><li><a name="volatility.plugins.overlays.windows.vista.VistaSP1x86"></a><a href="volatility.plugins.overlays.windows.vista.VistaSP1x86.html">volatility.plugins.overlays.windows.vista.VistaSP1x86</a> - <span>A Profile for Windows Vista SP1 x86</span><ul><li><a name="volatility.plugins.overlays.windows.vista.Win2008SP1x86"></a><a href="volatility.plugins.overlays.windows.vista.Win2008SP1x86.html">volatility.plugins.overlays.windows.vista.Win2008SP1x86</a> - <span>A Profile for Windows 2008 SP1 x86</span></li></ul></li><li><a name="volatility.plugins.overlays.windows.vista.VistaSP2x64"></a><a href="volatility.plugins.overlays.windows.vista.VistaSP2x64.html">volatility.plugins.overlays.windows.vista.VistaSP2x64</a> - <span>A Profile for Windows Vista SP2 x64</span><ul><li><a name="volatility.plugins.overlays.windows.vista.Win2008SP2x64"></a><a href="volatility.plugins.overlays.windows.vista.Win2008SP2x64.html">volatility.plugins.overlays.windows.vista.Win2008SP2x64</a> - <span>A Profile for Windows 2008 SP2 x64</span></li></ul></li><li><a name="volatility.plugins.overlays.windows.vista.VistaSP2x86"></a><a href="volatility.plugins.overlays.windows.vista.VistaSP2x86.html">volatility.plugins.overlays.windows.vista.VistaSP2x86</a> - <span>A Profile for Windows Vista SP2 x86</span><ul><li><a name="volatility.plugins.overlays.windows.vista.Win2008SP2x86"></a><a href="volatility.plugins.overlays.windows.vista.Win2008SP2x86.html">volatility.plugins.overlays.windows.vista.Win2008SP2x86</a> - <span>A Profile for Windows 2008 SP2 x86</span></li></ul></li><li><a name="volatility.plugins.overlays.windows.win2003.Win2003SP0x86"></a><a href="volatility.plugins.overlays.windows.win2003.Win2003SP0x86.html">volatility.plugins.overlays.windows.win2003.Win2003SP0x86</a> - <span>A Profile for Windows 2003 SP0 x86</span></li><li><a name="volatility.plugins.overlays.windows.win2003.Win2003SP1x64"></a><a href="volatility.plugins.overlays.windows.win2003.Win2003SP1x64.html">volatility.plugins.overlays.windows.win2003.Win2003SP1x64</a> - <span>A Profile for Windows 2003 SP1 x64</span><ul><li><a name="volatility.plugins.overlays.windows.win2003.WinXPSP1x64"></a><a href="volatility.plugins.overlays.windows.win2003.WinXPSP1x64.html">volatility.plugins.overlays.windows.win2003.WinXPSP1x64</a> - <span>A Profile for Windows XP SP1 x64</span></li></ul></li><li><a name="volatility.plugins.overlays.windows.win2003.Win2003SP1x86"></a><a href="volatility.plugins.overlays.windows.win2003.Win2003SP1x86.html">volatility.plugins.overlays.windows.win2003.Win2003SP1x86</a> - <span>A Profile for Windows 2003 SP1 x86</span></li><li><a name="volatility.plugins.overlays.windows.win2003.Win2003SP2x64"></a><a href="volatility.plugins.overlays.windows.win2003.Win2003SP2x64.html">volatility.plugins.overlays.windows.win2003.Win2003SP2x64</a> - <span>A Profile for Windows 2003 SP2 x64</span><ul><li><a name="volatility.plugins.overlays.windows.win2003.WinXPSP2x64"></a><a href="volatility.plugins.overlays.windows.win2003.WinXPSP2x64.html">volatility.plugins.overlays.windows.win2003.WinXPSP2x64</a> - <span>A Profile for Windows XP SP2 x64</span></li></ul></li><li><a name="volatility.plugins.overlays.windows.win2003.Win2003SP2x86"></a><a href="volatility.plugins.overlays.windows.win2003.Win2003SP2x86.html">volatility.plugins.overlays.windows.win2003.Win2003SP2x86</a> - <span>A Profile for Windows 2003 SP2 x86</span></li><li><a name="volatility.plugins.overlays.windows.win7.Win7SP0x64"></a><a href="volatility.plugins.overlays.windows.win7.Win7SP0x64.html">volatility.plugins.overlays.windows.win7.Win7SP0x64</a> - <span>A Profile for Windows 7 SP0 x64</span><ul><li><a name="volatility.plugins.overlays.windows.win7.Win2008R2SP0x64"></a><a href="volatility.plugins.overlays.windows.win7.Win2008R2SP0x64.html">volatility.plugins.overlays.windows.win7.Win2008R2SP0x64</a> - <span>A Profile for Windows 2008 R2 SP0 x64</span></li></ul></li><li><a name="volatility.plugins.overlays.windows.win7.Win7SP0x86"></a><a href="volatility.plugins.overlays.windows.win7.Win7SP0x86.html">volatility.plugins.overlays.windows.win7.Win7SP0x86</a> - <span>A Profile for Windows 7 SP0 x86</span></li><li><a name="volatility.plugins.overlays.windows.win7.Win7SP1x64"></a><a href="volatility.plugins.overlays.windows.win7.Win7SP1x64.html">volatility.plugins.overlays.windows.win7.Win7SP1x64</a> - <span>A Profile for Windows 7 SP1 x64</span><ul><li><a name="volatility.plugins.overlays.windows.win7.Win2008R2SP1x64"></a><a href="volatility.plugins.overlays.windows.win7.Win2008R2SP1x64.html">volatility.plugins.overlays.windows.win7.Win2008R2SP1x64</a> - <span>A Profile for Windows 2008 R2 SP1 x64</span></li></ul></li><li><a name="volatility.plugins.overlays.windows.win7.Win7SP1x86"></a><a href="volatility.plugins.overlays.windows.win7.Win7SP1x86.html">volatility.plugins.overlays.windows.win7.Win7SP1x86</a> - <span>A Profile for Windows 7 SP1 x86</span></li><li><a name="volatility.plugins.overlays.windows.xp.WinXPSP2x86"></a><a href="volatility.plugins.overlays.windows.xp.WinXPSP2x86.html">volatility.plugins.overlays.windows.xp.WinXPSP2x86</a> - <span>A Profile for Windows XP SP2 x86</span></li><li><a name="volatility.plugins.overlays.windows.xp.WinXPSP3x86"></a><a href="volatility.plugins.overlays.windows.xp.WinXPSP3x86.html">volatility.plugins.overlays.windows.xp.WinXPSP3x86</a> - <span>A Profile for Windows XP SP3 x86</span></li></ul></li><li><a name="volatility.obj.ProfileModification"></a><a href="volatility.obj.ProfileModification.html">volatility.obj.ProfileModification</a> - <span>Class for modifying profiles for additional functionality</span><ul><li><a name="volatility.plugins.addrspaces.lime.LimeTypes"></a><a href="volatility.plugins.addrspaces.lime.LimeTypes.html">volatility.plugins.addrspaces.lime.LimeTypes</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.evtlogs.EVTObjectTypes"></a><a href="volatility.plugins.evtlogs.EVTObjectTypes.html">volatility.plugins.evtlogs.EVTObjectTypes</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.gui.vtypes.vista.Vista2008x64GuiVTypes"></a><a href="volatility.plugins.gui.vtypes.vista.Vista2008x64GuiVTypes.html">volatility.plugins.gui.vtypes.vista.Vista2008x64GuiVTypes</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.gui.vtypes.vista.Vista2008x86GuiVTypes"></a><a href="volatility.plugins.gui.vtypes.vista.Vista2008x86GuiVTypes.html">volatility.plugins.gui.vtypes.vista.Vista2008x86GuiVTypes</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.gui.vtypes.win2003.Win2003x86GuiVTypes"></a><a href="volatility.plugins.gui.vtypes.win2003.Win2003x86GuiVTypes.html">volatility.plugins.gui.vtypes.win2003.Win2003x86GuiVTypes</a> - <span>Apply the overlays for Windows 2003 x86 (builds on Windows XP x86)</span></li><li><a name="volatility.plugins.gui.vtypes.win7.Win7GuiOverlay"></a><a href="volatility.plugins.gui.vtypes.win7.Win7GuiOverlay.html">volatility.plugins.gui.vtypes.win7.Win7GuiOverlay</a> - <span>Apply general overlays for Windows 7</span></li><li><a name="volatility.plugins.gui.vtypes.win7.Win7SP0x64GuiVTypes"></a><a href="volatility.plugins.gui.vtypes.win7.Win7SP0x64GuiVTypes.html">volatility.plugins.gui.vtypes.win7.Win7SP0x64GuiVTypes</a> - <span>Apply the base vtypes for Windows 7 SP0 x64</span></li><li><a name="volatility.plugins.gui.vtypes.win7.Win7SP0x86GuiVTypes"></a><a href="volatility.plugins.gui.vtypes.win7.Win7SP0x86GuiVTypes.html">volatility.plugins.gui.vtypes.win7.Win7SP0x86GuiVTypes</a> - <span>Apply the base vtypes for Windows 7 SP0 x86</span></li><li><a name="volatility.plugins.gui.vtypes.win7.Win7SP1x64GuiVTypes"></a><a href="volatility.plugins.gui.vtypes.win7.Win7SP1x64GuiVTypes.html">volatility.plugins.gui.vtypes.win7.Win7SP1x64GuiVTypes</a> - <span>Apply the base vtypes for Windows 7 SP1 x64</span></li><li><a name="volatility.plugins.gui.vtypes.win7.Win7SP1x86GuiVTypes"></a><a href="volatility.plugins.gui.vtypes.win7.Win7SP1x86GuiVTypes.html">volatility.plugins.gui.vtypes.win7.Win7SP1x86GuiVTypes</a> - <span>Apply the base vtypes for Windows 7 SP1 x86</span></li><li><a name="volatility.plugins.gui.vtypes.win7.Win7Vista2008x64Timers"></a><a href="volatility.plugins.gui.vtypes.win7.Win7Vista2008x64Timers.html">volatility.plugins.gui.vtypes.win7.Win7Vista2008x64Timers</a> - <span>Apply the tagTIMER for Windows 7, Vista, and 2008 x64</span></li><li><a name="volatility.plugins.gui.vtypes.win7.Win7Vista2008x86Timers"></a><a href="volatility.plugins.gui.vtypes.win7.Win7Vista2008x86Timers.html">volatility.plugins.gui.vtypes.win7.Win7Vista2008x86Timers</a> - <span>Apply the tagTIMER for Windows 7, Vista, and 2008 x86</span></li><li><a name="volatility.plugins.gui.vtypes.win7.Win7Win32KCoreClasses"></a><a href="volatility.plugins.gui.vtypes.win7.Win7Win32KCoreClasses.html">volatility.plugins.gui.vtypes.win7.Win7Win32KCoreClasses</a> - <span>Apply the core object classes for Windows 7</span></li><li><a name="volatility.plugins.gui.vtypes.xp.XP2003x64BaseVTypes"></a><a href="volatility.plugins.gui.vtypes.xp.XP2003x64BaseVTypes.html">volatility.plugins.gui.vtypes.xp.XP2003x64BaseVTypes</a> - <span>Applies to Windows XP and 2003 x64</span></li><li><a name="volatility.plugins.gui.vtypes.xp.XP2003x86BaseVTypes"></a><a href="volatility.plugins.gui.vtypes.xp.XP2003x86BaseVTypes.html">volatility.plugins.gui.vtypes.xp.XP2003x86BaseVTypes</a> - <span>Applies to everything x86 before Windows 7</span></li><li><a name="volatility.plugins.gui.win32k_core.AtomTablex64Overlay"></a><a href="volatility.plugins.gui.win32k_core.AtomTablex64Overlay.html">volatility.plugins.gui.win32k_core.AtomTablex64Overlay</a> - <span>Apply the atom table overlays for all x64 Windows</span></li><li><a name="volatility.plugins.gui.win32k_core.AtomTablex86Overlay"></a><a href="volatility.plugins.gui.win32k_core.AtomTablex86Overlay.html">volatility.plugins.gui.win32k_core.AtomTablex86Overlay</a> - <span>Apply the atom table overlays for all x86 Windows</span></li><li><a name="volatility.plugins.gui.win32k_core.Win32KCoreClasses"></a><a href="volatility.plugins.gui.win32k_core.Win32KCoreClasses.html">volatility.plugins.gui.win32k_core.Win32KCoreClasses</a> - <span>Apply the core object classes</span></li><li><a name="volatility.plugins.gui.win32k_core.Win32KGahtiVType"></a><a href="volatility.plugins.gui.win32k_core.Win32KGahtiVType.html">volatility.plugins.gui.win32k_core.Win32KGahtiVType</a> - <span>Apply a vtype for win32k!gahti. Adjust the number of handles according to the OS version</span></li><li><a name="volatility.plugins.gui.win32k_core.Win32Kx64VTypes"></a><a href="volatility.plugins.gui.win32k_core.Win32Kx64VTypes.html">volatility.plugins.gui.win32k_core.Win32Kx64VTypes</a> - <span>Applies to all x64 windows profiles.</span></li><li><a name="volatility.plugins.gui.win32k_core.Win32Kx86VTypes"></a><a href="volatility.plugins.gui.win32k_core.Win32Kx86VTypes.html">volatility.plugins.gui.win32k_core.Win32Kx86VTypes</a> - <span>Applies to all x86 windows profiles.</span></li><li><a name="volatility.plugins.gui.win32k_core.XP2003x64TimerVType"></a><a href="volatility.plugins.gui.win32k_core.XP2003x64TimerVType.html">volatility.plugins.gui.win32k_core.XP2003x64TimerVType</a> - <span>Apply the tagTIMER for XP and 2003 x64</span></li><li><a name="volatility.plugins.gui.win32k_core.XP2003x86TimerVType"></a><a href="volatility.plugins.gui.win32k_core.XP2003x86TimerVType.html">volatility.plugins.gui.win32k_core.XP2003x86TimerVType</a> - <span>Apply the tagTIMER for XP and 2003 x86</span></li><li><a name="volatility.plugins.gui.win32k_core.XPx86SessionOverlay"></a><a href="volatility.plugins.gui.win32k_core.XPx86SessionOverlay.html">volatility.plugins.gui.win32k_core.XPx86SessionOverlay</a> - <span>Apply the ResidentProcessCount overlay for x86 XP session spaces</span></li><li><a name="volatility.plugins.linux.bash.BashTypes"></a><a href="volatility.plugins.linux.bash.BashTypes.html">volatility.plugins.linux.bash.BashTypes</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.linux.slab_info.LinuxKmemCacheOverlay"></a><a href="volatility.plugins.linux.slab_info.LinuxKmemCacheOverlay.html">volatility.plugins.linux.slab_info.LinuxKmemCacheOverlay</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.malware.apihooks.MalwareWSPVTypes"></a><a href="volatility.plugins.malware.apihooks.MalwareWSPVTypes.html">volatility.plugins.malware.apihooks.MalwareWSPVTypes</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.malware.callbacks.MalwareCallbackMods"></a><a href="volatility.plugins.malware.callbacks.MalwareCallbackMods.html">volatility.plugins.malware.callbacks.MalwareCallbackMods</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.malware.cmdhistory.CmdHistoryObjectClasses"></a><a href="volatility.plugins.malware.cmdhistory.CmdHistoryObjectClasses.html">volatility.plugins.malware.cmdhistory.CmdHistoryObjectClasses</a> - <span>This modification applies the object classes for all versions of 32bit Windows.</span></li><li><a name="volatility.plugins.malware.cmdhistory.CmdHistoryVTypesWin7x64"></a><a href="volatility.plugins.malware.cmdhistory.CmdHistoryVTypesWin7x64.html">volatility.plugins.malware.cmdhistory.CmdHistoryVTypesWin7x64</a> - <span>This modification applies the vtypes for 64bit Windows starting with Windows 7.</span></li><li><a name="volatility.plugins.malware.cmdhistory.CmdHistoryVTypesWin7x86"></a><a href="volatility.plugins.malware.cmdhistory.CmdHistoryVTypesWin7x86.html">volatility.plugins.malware.cmdhistory.CmdHistoryVTypesWin7x86</a> - <span>This modification applies the vtypes for 32bit Windows starting with Windows 7.</span></li><li><a name="volatility.plugins.malware.cmdhistory.CmdHistoryVTypesx64"></a><a href="volatility.plugins.malware.cmdhistory.CmdHistoryVTypesx64.html">volatility.plugins.malware.cmdhistory.CmdHistoryVTypesx64</a> - <span>This modification applies the vtypes for 64bit Windows up to Windows 7.</span></li><li><a name="volatility.plugins.malware.cmdhistory.CmdHistoryVTypesx86"></a><a href="volatility.plugins.malware.cmdhistory.CmdHistoryVTypesx86.html">volatility.plugins.malware.cmdhistory.CmdHistoryVTypesx86</a> - <span>This modification applies the vtypes for 32bit Windows up to Windows 7.</span></li><li><a name="volatility.plugins.malware.devicetree.MalwareDrivers"></a><a href="volatility.plugins.malware.devicetree.MalwareDrivers.html">volatility.plugins.malware.devicetree.MalwareDrivers</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.malware.idt.MalwareIDTGDTx86"></a><a href="volatility.plugins.malware.idt.MalwareIDTGDTx86.html">volatility.plugins.malware.idt.MalwareIDTGDTx86</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.malware.malfind.MalwareObjectClasesXP"></a><a href="volatility.plugins.malware.malfind.MalwareObjectClasesXP.html">volatility.plugins.malware.malfind.MalwareObjectClasesXP</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.malware.psxview.MalwarePspCid"></a><a href="volatility.plugins.malware.psxview.MalwarePspCid.html">volatility.plugins.malware.psxview.MalwarePspCid</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.malware.svcscan.ServiceBase"></a><a href="volatility.plugins.malware.svcscan.ServiceBase.html">volatility.plugins.malware.svcscan.ServiceBase</a> - <span>The base applies to XP and 2003 SP0-SP1</span></li><li><a name="volatility.plugins.malware.svcscan.ServiceBasex64"></a><a href="volatility.plugins.malware.svcscan.ServiceBasex64.html">volatility.plugins.malware.svcscan.ServiceBasex64</a> - <span>This overrides the base x86 vtypes with x64 vtypes</span></li><li><a name="volatility.plugins.malware.svcscan.ServiceVista"></a><a href="volatility.plugins.malware.svcscan.ServiceVista.html">volatility.plugins.malware.svcscan.ServiceVista</a> - <span>Override the base with OC's for Vista, 2008, and 7</span></li><li><a name="volatility.plugins.malware.svcscan.ServiceVistax64"></a><a href="volatility.plugins.malware.svcscan.ServiceVistax64.html">volatility.plugins.malware.svcscan.ServiceVistax64</a> - <span>Override the base with vtypes for x64 Vista, 2008, and 7</span></li><li><a name="volatility.plugins.malware.svcscan.ServiceVistax86"></a><a href="volatility.plugins.malware.svcscan.ServiceVistax86.html">volatility.plugins.malware.svcscan.ServiceVistax86</a> - <span>Override the base with vtypes for x86 Vista, 2008, and 7</span></li><li><a name="volatility.plugins.malware.threads.MalwareKthread"></a><a href="volatility.plugins.malware.threads.MalwareKthread.html">volatility.plugins.malware.threads.MalwareKthread</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.malware.timers.MalwareTimerVTypes"></a><a href="volatility.plugins.malware.timers.MalwareTimerVTypes.html">volatility.plugins.malware.timers.MalwareTimerVTypes</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.netscan.NetscanObjectClasses"></a><a href="volatility.plugins.netscan.NetscanObjectClasses.html">volatility.plugins.netscan.NetscanObjectClasses</a> - <span>Network OCs for Vista, 2008, and 7 x86 and x64</span></li><li><a name="volatility.plugins.overlays.basic.BasicObjectClasses"></a><a href="volatility.plugins.overlays.basic.BasicObjectClasses.html">volatility.plugins.overlays.basic.BasicObjectClasses</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.linux.linux.LinuxMountOverlay"></a><a href="volatility.plugins.overlays.linux.linux.LinuxMountOverlay.html">volatility.plugins.overlays.linux.linux.LinuxMountOverlay</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.linux.linux.LinuxObjectClasses"></a><a href="volatility.plugins.overlays.linux.linux.LinuxObjectClasses.html">volatility.plugins.overlays.linux.linux.LinuxObjectClasses</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.linux.linux.LinuxOverlay"></a><a href="volatility.plugins.overlays.linux.linux.LinuxOverlay.html">volatility.plugins.overlays.linux.linux.LinuxOverlay</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.linux.linux64.Linux64ObjectClasses"></a><a href="volatility.plugins.overlays.linux.linux64.Linux64ObjectClasses.html">volatility.plugins.overlays.linux.linux64.Linux64ObjectClasses</a> - <span>Makes slight changes to the DTB checker</span></li><li><a name="volatility.plugins.overlays.windows.hibernate_vtypes.HiberVistaSP01x64"></a><a href="volatility.plugins.overlays.windows.hibernate_vtypes.HiberVistaSP01x64.html">volatility.plugins.overlays.windows.hibernate_vtypes.HiberVistaSP01x64</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.hibernate_vtypes.HiberVistaSP01x86"></a><a href="volatility.plugins.overlays.windows.hibernate_vtypes.HiberVistaSP01x86.html">volatility.plugins.overlays.windows.hibernate_vtypes.HiberVistaSP01x86</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.hibernate_vtypes.HiberVistaSP2x64"></a><a href="volatility.plugins.overlays.windows.hibernate_vtypes.HiberVistaSP2x64.html">volatility.plugins.overlays.windows.hibernate_vtypes.HiberVistaSP2x64</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.hibernate_vtypes.HiberVistaSP2x86"></a><a href="volatility.plugins.overlays.windows.hibernate_vtypes.HiberVistaSP2x86.html">volatility.plugins.overlays.windows.hibernate_vtypes.HiberVistaSP2x86</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.hibernate_vtypes.HiberWin2003x64"></a><a href="volatility.plugins.overlays.windows.hibernate_vtypes.HiberWin2003x64.html">volatility.plugins.overlays.windows.hibernate_vtypes.HiberWin2003x64</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.hibernate_vtypes.HiberWin7SP01x64"></a><a href="volatility.plugins.overlays.windows.hibernate_vtypes.HiberWin7SP01x64.html">volatility.plugins.overlays.windows.hibernate_vtypes.HiberWin7SP01x64</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.hibernate_vtypes.HiberWin7SP01x86"></a><a href="volatility.plugins.overlays.windows.hibernate_vtypes.HiberWin7SP01x86.html">volatility.plugins.overlays.windows.hibernate_vtypes.HiberWin7SP01x86</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.kdbg_vtypes.KDBGObjectClass"></a><a href="volatility.plugins.overlays.windows.kdbg_vtypes.KDBGObjectClass.html">volatility.plugins.overlays.windows.kdbg_vtypes.KDBGObjectClass</a> - <span>Add the KDBG object class to all Windows profiles</span></li><li><a name="volatility.plugins.overlays.windows.kpcr_vtypes.KPCRProfileModification"></a><a href="volatility.plugins.overlays.windows.kpcr_vtypes.KPCRProfileModification.html">volatility.plugins.overlays.windows.kpcr_vtypes.KPCRProfileModification</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.pe_vtypes.WinPEObjectClasses"></a><a href="volatility.plugins.overlays.windows.pe_vtypes.WinPEObjectClasses.html">volatility.plugins.overlays.windows.pe_vtypes.WinPEObjectClasses</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.pe_vtypes.WinPEVTypes"></a><a href="volatility.plugins.overlays.windows.pe_vtypes.WinPEVTypes.html">volatility.plugins.overlays.windows.pe_vtypes.WinPEVTypes</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.pe_vtypes.WinPEx64VTypes"></a><a href="volatility.plugins.overlays.windows.pe_vtypes.WinPEx64VTypes.html">volatility.plugins.overlays.windows.pe_vtypes.WinPEx64VTypes</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.ssdt_vtypes.AbstractSyscalls"></a><a href="volatility.plugins.overlays.windows.ssdt_vtypes.AbstractSyscalls.html">volatility.plugins.overlays.windows.ssdt_vtypes.AbstractSyscalls</a> - <span class="undocumented">Undocumented</span><ul><li><a name="volatility.plugins.overlays.windows.ssdt_vtypes.VistaSP0Syscalls"></a><a href="volatility.plugins.overlays.windows.ssdt_vtypes.VistaSP0Syscalls.html">volatility.plugins.overlays.windows.ssdt_vtypes.VistaSP0Syscalls</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.ssdt_vtypes.VistaSP0x64Syscalls"></a><a href="volatility.plugins.overlays.windows.ssdt_vtypes.VistaSP0x64Syscalls.html">volatility.plugins.overlays.windows.ssdt_vtypes.VistaSP0x64Syscalls</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.ssdt_vtypes.VistaSP12Syscalls"></a><a href="volatility.plugins.overlays.windows.ssdt_vtypes.VistaSP12Syscalls.html">volatility.plugins.overlays.windows.ssdt_vtypes.VistaSP12Syscalls</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.ssdt_vtypes.VistaSP12x64Syscalls"></a><a href="volatility.plugins.overlays.windows.ssdt_vtypes.VistaSP12x64Syscalls.html">volatility.plugins.overlays.windows.ssdt_vtypes.VistaSP12x64Syscalls</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.ssdt_vtypes.Win2003SP0Syscalls"></a><a href="volatility.plugins.overlays.windows.ssdt_vtypes.Win2003SP0Syscalls.html">volatility.plugins.overlays.windows.ssdt_vtypes.Win2003SP0Syscalls</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.ssdt_vtypes.Win2003SP12Syscalls"></a><a href="volatility.plugins.overlays.windows.ssdt_vtypes.Win2003SP12Syscalls.html">volatility.plugins.overlays.windows.ssdt_vtypes.Win2003SP12Syscalls</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.ssdt_vtypes.Win2003SP12x64Syscalls"></a><a href="volatility.plugins.overlays.windows.ssdt_vtypes.Win2003SP12x64Syscalls.html">volatility.plugins.overlays.windows.ssdt_vtypes.Win2003SP12x64Syscalls</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.ssdt_vtypes.Win7SP01Syscalls"></a><a href="volatility.plugins.overlays.windows.ssdt_vtypes.Win7SP01Syscalls.html">volatility.plugins.overlays.windows.ssdt_vtypes.Win7SP01Syscalls</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.ssdt_vtypes.Win7SP01x64Syscalls"></a><a href="volatility.plugins.overlays.windows.ssdt_vtypes.Win7SP01x64Syscalls.html">volatility.plugins.overlays.windows.ssdt_vtypes.Win7SP01x64Syscalls</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.ssdt_vtypes.WinXPSyscalls"></a><a href="volatility.plugins.overlays.windows.ssdt_vtypes.WinXPSyscalls.html">volatility.plugins.overlays.windows.ssdt_vtypes.WinXPSyscalls</a> - <span class="undocumented">Undocumented</span></li></ul></li><li><a name="volatility.plugins.overlays.windows.ssdt_vtypes.Win2003SyscallVTypes"></a><a href="volatility.plugins.overlays.windows.ssdt_vtypes.Win2003SyscallVTypes.html">volatility.plugins.overlays.windows.ssdt_vtypes.Win2003SyscallVTypes</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.ssdt_vtypes.Win64SyscallVTypes"></a><a href="volatility.plugins.overlays.windows.ssdt_vtypes.Win64SyscallVTypes.html">volatility.plugins.overlays.windows.ssdt_vtypes.Win64SyscallVTypes</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.ssdt_vtypes.WinSyscallsAttribute"></a><a href="volatility.plugins.overlays.windows.ssdt_vtypes.WinSyscallsAttribute.html">volatility.plugins.overlays.windows.ssdt_vtypes.WinSyscallsAttribute</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.tcpip_vtypes.Vista2008Tcpip"></a><a href="volatility.plugins.overlays.windows.tcpip_vtypes.Vista2008Tcpip.html">volatility.plugins.overlays.windows.tcpip_vtypes.Vista2008Tcpip</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.tcpip_vtypes.VistaSP12x64Tcpip"></a><a href="volatility.plugins.overlays.windows.tcpip_vtypes.VistaSP12x64Tcpip.html">volatility.plugins.overlays.windows.tcpip_vtypes.VistaSP12x64Tcpip</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.tcpip_vtypes.Win2003SP12Tcpip"></a><a href="volatility.plugins.overlays.windows.tcpip_vtypes.Win2003SP12Tcpip.html">volatility.plugins.overlays.windows.tcpip_vtypes.Win2003SP12Tcpip</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.tcpip_vtypes.Win7Tcpip"></a><a href="volatility.plugins.overlays.windows.tcpip_vtypes.Win7Tcpip.html">volatility.plugins.overlays.windows.tcpip_vtypes.Win7Tcpip</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.tcpip_vtypes.Win7Vista2008x64Tcpip"></a><a href="volatility.plugins.overlays.windows.tcpip_vtypes.Win7Vista2008x64Tcpip.html">volatility.plugins.overlays.windows.tcpip_vtypes.Win7Vista2008x64Tcpip</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.tcpip_vtypes.Win7x64Tcpip"></a><a href="volatility.plugins.overlays.windows.tcpip_vtypes.Win7x64Tcpip.html">volatility.plugins.overlays.windows.tcpip_vtypes.Win7x64Tcpip</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.tcpip_vtypes.WinXP2003Tcpipx64"></a><a href="volatility.plugins.overlays.windows.tcpip_vtypes.WinXP2003Tcpipx64.html">volatility.plugins.overlays.windows.tcpip_vtypes.WinXP2003Tcpipx64</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.vista.VistaMMVAD"></a><a href="volatility.plugins.overlays.windows.vista.VistaMMVAD.html">volatility.plugins.overlays.windows.vista.VistaMMVAD</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.vista.VistaSP0x64Hiber"></a><a href="volatility.plugins.overlays.windows.vista.VistaSP0x64Hiber.html">volatility.plugins.overlays.windows.vista.VistaSP0x64Hiber</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.vista.VistaSP0x86Hiber"></a><a href="volatility.plugins.overlays.windows.vista.VistaSP0x86Hiber.html">volatility.plugins.overlays.windows.vista.VistaSP0x86Hiber</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.vista.VistaSP1x64Hiber"></a><a href="volatility.plugins.overlays.windows.vista.VistaSP1x64Hiber.html">volatility.plugins.overlays.windows.vista.VistaSP1x64Hiber</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.vista.VistaSP1x86Hiber"></a><a href="volatility.plugins.overlays.windows.vista.VistaSP1x86Hiber.html">volatility.plugins.overlays.windows.vista.VistaSP1x86Hiber</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.vista.VistaSP2x64Hiber"></a><a href="volatility.plugins.overlays.windows.vista.VistaSP2x64Hiber.html">volatility.plugins.overlays.windows.vista.VistaSP2x64Hiber</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.vista.VistaSP2x86Hiber"></a><a href="volatility.plugins.overlays.windows.vista.VistaSP2x86Hiber.html">volatility.plugins.overlays.windows.vista.VistaSP2x86Hiber</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.vista.VistaWin7KPCR"></a><a href="volatility.plugins.overlays.windows.vista.VistaWin7KPCR.html">volatility.plugins.overlays.windows.vista.VistaWin7KPCR</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.vista.Vistax64DTB"></a><a href="volatility.plugins.overlays.windows.vista.Vistax64DTB.html">volatility.plugins.overlays.windows.vista.Vistax64DTB</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.vista.Vistax86DTB"></a><a href="volatility.plugins.overlays.windows.vista.Vistax86DTB.html">volatility.plugins.overlays.windows.vista.Vistax86DTB</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.win2003.EThreadCreateTime"></a><a href="volatility.plugins.overlays.windows.win2003.EThreadCreateTime.html">volatility.plugins.overlays.windows.win2003.EThreadCreateTime</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.win2003.Win2003MMVad"></a><a href="volatility.plugins.overlays.windows.win2003.Win2003MMVad.html">volatility.plugins.overlays.windows.win2003.Win2003MMVad</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.win2003.Win2003SP0x86DTB"></a><a href="volatility.plugins.overlays.windows.win2003.Win2003SP0x86DTB.html">volatility.plugins.overlays.windows.win2003.Win2003SP0x86DTB</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.win2003.Win2003x64DTB"></a><a href="volatility.plugins.overlays.windows.win2003.Win2003x64DTB.html">volatility.plugins.overlays.windows.win2003.Win2003x64DTB</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.win2003.Win2003x64Hiber"></a><a href="volatility.plugins.overlays.windows.win2003.Win2003x64Hiber.html">volatility.plugins.overlays.windows.win2003.Win2003x64Hiber</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.win2003.Win2003x86DTB"></a><a href="volatility.plugins.overlays.windows.win2003.Win2003x86DTB.html">volatility.plugins.overlays.windows.win2003.Win2003x86DTB</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.win2003.Win2003x86Hiber"></a><a href="volatility.plugins.overlays.windows.win2003.Win2003x86Hiber.html">volatility.plugins.overlays.windows.win2003.Win2003x86Hiber</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.win7.Win7ObjectClasses"></a><a href="volatility.plugins.overlays.windows.win7.Win7ObjectClasses.html">volatility.plugins.overlays.windows.win7.Win7ObjectClasses</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.win7.Win7Pointer64"></a><a href="volatility.plugins.overlays.windows.win7.Win7Pointer64.html">volatility.plugins.overlays.windows.win7.Win7Pointer64</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.win7.Win7x64DTB"></a><a href="volatility.plugins.overlays.windows.win7.Win7x64DTB.html">volatility.plugins.overlays.windows.win7.Win7x64DTB</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.win7.Win7x64Hiber"></a><a href="volatility.plugins.overlays.windows.win7.Win7x64Hiber.html">volatility.plugins.overlays.windows.win7.Win7x64Hiber</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.win7.Win7x86DTB"></a><a href="volatility.plugins.overlays.windows.win7.Win7x86DTB.html">volatility.plugins.overlays.windows.win7.Win7x86DTB</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.win7.Win7x86Hiber"></a><a href="volatility.plugins.overlays.windows.win7.Win7x86Hiber.html">volatility.plugins.overlays.windows.win7.Win7x86Hiber</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.windows.AbstractKDBGMod"></a><a href="volatility.plugins.overlays.windows.windows.AbstractKDBGMod.html">volatility.plugins.overlays.windows.windows.AbstractKDBGMod</a> - <span class="undocumented">Undocumented</span><ul><li><a name="volatility.plugins.overlays.windows.vista.VistaKDBG"></a><a href="volatility.plugins.overlays.windows.vista.VistaKDBG.html">volatility.plugins.overlays.windows.vista.VistaKDBG</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.vista.VistaSP1KDBG"></a><a href="volatility.plugins.overlays.windows.vista.VistaSP1KDBG.html">volatility.plugins.overlays.windows.vista.VistaSP1KDBG</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.win2003.Win2003KDBG"></a><a href="volatility.plugins.overlays.windows.win2003.Win2003KDBG.html">volatility.plugins.overlays.windows.win2003.Win2003KDBG</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.win7.Win7KDBG"></a><a href="volatility.plugins.overlays.windows.win7.Win7KDBG.html">volatility.plugins.overlays.windows.win7.Win7KDBG</a> - <span class="undocumented">Undocumented</span></li></ul></li><li><a name="volatility.plugins.overlays.windows.windows.WindowsObjectClasses"></a><a href="volatility.plugins.overlays.windows.windows.WindowsObjectClasses.html">volatility.plugins.overlays.windows.windows.WindowsObjectClasses</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.windows.WindowsOverlay"></a><a href="volatility.plugins.overlays.windows.windows.WindowsOverlay.html">volatility.plugins.overlays.windows.windows.WindowsOverlay</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.windows.WindowsVTypes"></a><a href="volatility.plugins.overlays.windows.windows.WindowsVTypes.html">volatility.plugins.overlays.windows.windows.WindowsVTypes</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.windows64.ExFastRefx64"></a><a href="volatility.plugins.overlays.windows.windows64.ExFastRefx64.html">volatility.plugins.overlays.windows.windows64.ExFastRefx64</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.windows64.Windows64Overlay"></a><a href="volatility.plugins.overlays.windows.windows64.Windows64Overlay.html">volatility.plugins.overlays.windows.windows64.Windows64Overlay</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.overlays.windows.xp.XPOverlay"></a><a href="volatility.plugins.overlays.windows.xp.XPOverlay.html">volatility.plugins.overlays.windows.xp.XPOverlay</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.pstree.ProcessAuditVTypes"></a><a href="volatility.plugins.pstree.ProcessAuditVTypes.html">volatility.plugins.pstree.ProcessAuditVTypes</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.registry.shimcache.ShimCacheTypes2003x64"></a><a href="volatility.plugins.registry.shimcache.ShimCacheTypes2003x64.html">volatility.plugins.registry.shimcache.ShimCacheTypes2003x64</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.registry.shimcache.ShimCacheTypes2003x86"></a><a href="volatility.plugins.registry.shimcache.ShimCacheTypes2003x86.html">volatility.plugins.registry.shimcache.ShimCacheTypes2003x86</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.registry.shimcache.ShimCacheTypesVistax64"></a><a href="volatility.plugins.registry.shimcache.ShimCacheTypesVistax64.html">volatility.plugins.registry.shimcache.ShimCacheTypesVistax64</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.registry.shimcache.ShimCacheTypesVistax86"></a><a href="volatility.plugins.registry.shimcache.ShimCacheTypesVistax86.html">volatility.plugins.registry.shimcache.ShimCacheTypesVistax86</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.registry.shimcache.ShimCacheTypesWin7x64"></a><a href="volatility.plugins.registry.shimcache.ShimCacheTypesWin7x64.html">volatility.plugins.registry.shimcache.ShimCacheTypesWin7x64</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.registry.shimcache.ShimCacheTypesWin7x86"></a><a href="volatility.plugins.registry.shimcache.ShimCacheTypesWin7x86.html">volatility.plugins.registry.shimcache.ShimCacheTypesWin7x86</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.registry.shimcache.ShimCacheTypesXPx86"></a><a href="volatility.plugins.registry.shimcache.ShimCacheTypesXPx86.html">volatility.plugins.registry.shimcache.ShimCacheTypesXPx86</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.userassist.UserAssistVTypes"></a><a href="volatility.plugins.userassist.UserAssistVTypes.html">volatility.plugins.userassist.UserAssistVTypes</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.userassist.UserAssistWin7VTypes"></a><a href="volatility.plugins.userassist.UserAssistWin7VTypes.html">volatility.plugins.userassist.UserAssistWin7VTypes</a> - <span class="undocumented">Undocumented</span></li></ul></li><li><a name="volatility.plugins.addrspaces.hibernate.Store"></a><a href="volatility.plugins.addrspaces.hibernate.Store.html">volatility.plugins.addrspaces.hibernate.Store</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.addrspaces.ieee1394.FWForensic1394"></a><a href="volatility.plugins.addrspaces.ieee1394.FWForensic1394.html">volatility.plugins.addrspaces.ieee1394.FWForensic1394</a> - <span class="undocumented">No class docstring; 3/4 methods documented</span></li><li><a name="volatility.plugins.addrspaces.ieee1394.FWRaw1394"></a><a href="volatility.plugins.addrspaces.ieee1394.FWRaw1394.html">volatility.plugins.addrspaces.ieee1394.FWRaw1394</a> - <span class="undocumented">No class docstring; 3/4 methods documented</span></li><li><a name="volatility.plugins.addrspaces.lime.segment"></a><a href="volatility.plugins.addrspaces.lime.segment.html">volatility.plugins.addrspaces.lime.segment</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.gui.constants.FakeAtom"></a><a href="volatility.plugins.gui.constants.FakeAtom.html">volatility.plugins.gui.constants.FakeAtom</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.gui.sessions.SessionsMixin"></a><a href="volatility.plugins.gui.sessions.SessionsMixin.html">volatility.plugins.gui.sessions.SessionsMixin</a> - <span>This is a mixin that plugins can inherit for access to the main sessions APIs.</span><ul><li><a href="volatility.plugins.gui.clipboard.Clipboard.html">volatility.plugins.gui.clipboard.Clipboard</a> - <span>Extract the contents of the windows clipboard</span></li><li><a href="volatility.plugins.gui.gditimers.GDITimers.html">volatility.plugins.gui.gditimers.GDITimers</a> - <span>Print installed GDI timers and callbacks</span></li><li><a href="volatility.plugins.gui.messagehooks.MessageHooks.html">volatility.plugins.gui.messagehooks.MessageHooks</a> - <span>List desktop and thread window message hooks</span><ul><li><a href="volatility.plugins.gui.windows.Windows.html">volatility.plugins.gui.windows.Windows</a> - <span>Print Desktop Windows (verbose details)</span></li><li><a href="volatility.plugins.gui.windows.WinTree.html">volatility.plugins.gui.windows.WinTree</a> - <span>Print Z-Order Desktop Windows Tree</span></li></ul></li><li><a href="volatility.plugins.gui.sessions.Sessions.html">volatility.plugins.gui.sessions.Sessions</a> - <span>List details on _MM_SESSION_SPACE (user logon sessions)</span><ul><li><a href="volatility.plugins.gui.eventhooks.EventHooks.html">volatility.plugins.gui.eventhooks.EventHooks</a> - <span>Print details on windows event hooks</span></li><li><a href="volatility.plugins.gui.gahti.Gahti.html">volatility.plugins.gui.gahti.Gahti</a> - <span>Dump the USER handle type information</span></li><li><a href="volatility.plugins.gui.userhandles.UserHandles.html">volatility.plugins.gui.userhandles.UserHandles</a> - <span>Dump the USER handle tables</span></li></ul></li><li><a href="volatility.plugins.gui.windowstations.WndScan.html">volatility.plugins.gui.windowstations.WndScan</a> - <span>Pool scanner for tagWINDOWSTATION (window stations)</span><ul><li><a href="volatility.plugins.gui.desktops.DeskScan.html">volatility.plugins.gui.desktops.DeskScan</a> - <span>Poolscaner for tagDESKTOP (desktops)</span></li><li><a href="volatility.plugins.gui.screenshot.Screenshot.html">volatility.plugins.gui.screenshot.Screenshot</a> - <span>Save a pseudo-screenshot based on GDI windows</span></li></ul></li></ul></li><li><a name="volatility.plugins.linux.arp.a_ent"></a><a href="volatility.plugins.linux.arp.a_ent.html">volatility.plugins.linux.arp.a_ent</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.malware.apihooks.Hook"></a><a href="volatility.plugins.malware.apihooks.Hook.html">volatility.plugins.malware.apihooks.Hook</a> - <span>A class for API hooks. It helps organize the many pieces of information required to report on the hook.</span></li><li><a name="volatility.plugins.malware.apihooks.ModuleGroup"></a><a href="volatility.plugins.malware.apihooks.ModuleGroup.html">volatility.plugins.malware.apihooks.ModuleGroup</a> - <span>A class to assist with module lookups</span></li><li><a name="volatility.plugins.malware.malfind.BaseYaraScanner"></a><a href="volatility.plugins.malware.malfind.BaseYaraScanner.html">volatility.plugins.malware.malfind.BaseYaraScanner</a> - <span>An address space scanner for Yara signatures.</span><ul><li><a name="volatility.plugins.malware.malfind.DiscontigYaraScanner"></a><a href="volatility.plugins.malware.malfind.DiscontigYaraScanner.html">volatility.plugins.malware.malfind.DiscontigYaraScanner</a> - <span>A Scanner for Discontiguous scanning.</span></li><li><a name="volatility.plugins.malware.malfind.VadYaraScanner"></a><a href="volatility.plugins.malware.malfind.VadYaraScanner.html">volatility.plugins.malware.malfind.VadYaraScanner</a> - <span>A scanner over all memory regions of a process.</span></li></ul></li><li><a name="volatility.plugins.malware.threads.AbstractThreadCheck"></a><a href="volatility.plugins.malware.threads.AbstractThreadCheck.html">volatility.plugins.malware.threads.AbstractThreadCheck</a> - <span>Base thread check class</span><ul><li><a name="volatility.plugins.malware.threads.AttachedProcess"></a><a href="volatility.plugins.malware.threads.AttachedProcess.html">volatility.plugins.malware.threads.AttachedProcess</a> - <span>Detect threads attached to another process</span></li><li><a name="volatility.plugins.malware.threads.DkomExit"></a><a href="volatility.plugins.malware.threads.DkomExit.html">volatility.plugins.malware.threads.DkomExit</a> - <span>Detect inconsistencies wrt exit times and termination</span></li><li><a name="volatility.plugins.malware.threads.HideFromDebug"></a><a href="volatility.plugins.malware.threads.HideFromDebug.html">volatility.plugins.malware.threads.HideFromDebug</a> - <span>Detect threads hidden from debuggers</span></li><li><a name="volatility.plugins.malware.threads.HookedSSDT"></a><a href="volatility.plugins.malware.threads.HookedSSDT.html">volatility.plugins.malware.threads.HookedSSDT</a> - <span>Check if a thread is using a hooked SSDT</span></li><li><a name="volatility.plugins.malware.threads.HwBreakpoint"></a><a href="volatility.plugins.malware.threads.HwBreakpoint.html">volatility.plugins.malware.threads.HwBreakpoint</a> - <span>Detect threads with hardware breakpoints</span></li><li><a name="volatility.plugins.malware.threads.Impersonation"></a><a href="volatility.plugins.malware.threads.Impersonation.html">volatility.plugins.malware.threads.Impersonation</a> - <span>Detect impersonating threads</span></li><li><a name="volatility.plugins.malware.threads.OrphanThread"></a><a href="volatility.plugins.malware.threads.OrphanThread.html">volatility.plugins.malware.threads.OrphanThread</a> - <span>Detect orphan threads</span></li><li><a name="volatility.plugins.malware.threads.ScannerOnly"></a><a href="volatility.plugins.malware.threads.ScannerOnly.html">volatility.plugins.malware.threads.ScannerOnly</a> - <span>Detect threads no longer in a linked list</span></li><li><a name="volatility.plugins.malware.threads.SystemThread"></a><a href="volatility.plugins.malware.threads.SystemThread.html">volatility.plugins.malware.threads.SystemThread</a> - <span>Detect system threads</span></li></ul></li><li><a name="volatility.plugins.overlays.windows.windows64.Pointer64Decorator"></a><a href="volatility.plugins.overlays.windows.windows64.Pointer64Decorator.html">volatility.plugins.overlays.windows.windows64.Pointer64Decorator</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.patcher.MultiPageScanner"></a><a href="volatility.plugins.patcher.MultiPageScanner.html">volatility.plugins.patcher.MultiPageScanner</a> - <span>Scans a page at a time through the address space</span></li><li><a name="volatility.plugins.patcher.PatcherObject"></a><a href="volatility.plugins.patcher.PatcherObject.html">volatility.plugins.patcher.PatcherObject</a> - <span>Simple object to hold patching data</span></li><li><a name="volatility.plugins.registry.registryapi.RegistryApi"></a><a href="volatility.plugins.registry.registryapi.RegistryApi.html">volatility.plugins.registry.registryapi.RegistryApi</a> - <span>A wrapper several highly used Registry functions</span></li><li><a name="volatility.registry.PluginImporter"></a><a href="volatility.registry.PluginImporter.html">volatility.registry.PluginImporter</a> - <span>This class searches through a comma-separated list of plugins and imports all classes found, based on their path and a fixed prefix.</span></li><li><a name="volatility.scan.BaseScanner"></a><a href="volatility.scan.BaseScanner.html">volatility.scan.BaseScanner</a> - <span>A more thorough scanner which checks every byte</span><ul><li><a name="volatility.plugins.kdbgscan.KDBGScanner"></a><a href="volatility.plugins.kdbgscan.KDBGScanner.html">volatility.plugins.kdbgscan.KDBGScanner</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.kpcrscan.KPCRScanner"></a><a href="volatility.plugins.kpcrscan.KPCRScanner.html">volatility.plugins.kpcrscan.KPCRScanner</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.scan.DiscontigScanner"></a><a href="volatility.scan.DiscontigScanner.html">volatility.scan.DiscontigScanner</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.scan.PoolScanner"></a><a href="volatility.scan.PoolScanner.html">volatility.scan.PoolScanner</a> - <span class="undocumented">No class docstring; 1/2 methods documented</span><ul><li><a name="volatility.plugins.connscan.PoolScanConnFast"></a><a href="volatility.plugins.connscan.PoolScanConnFast.html">volatility.plugins.connscan.PoolScanConnFast</a> - <span class="undocumented">No class docstring; 1/1 methods documented</span></li><li><a name="volatility.plugins.filescan.PoolScanFile"></a><a href="volatility.plugins.filescan.PoolScanFile.html">volatility.plugins.filescan.PoolScanFile</a> - <span>PoolScanner for File objects</span><ul><li><a name="volatility.plugins.filescan.PoolScanDriver"></a><a href="volatility.plugins.filescan.PoolScanDriver.html">volatility.plugins.filescan.PoolScanDriver</a> - <span>Scanner for _DRIVER_OBJECT</span><ul><li><a name="volatility.plugins.filescan.PoolScanMutant"></a><a href="volatility.plugins.filescan.PoolScanMutant.html">volatility.plugins.filescan.PoolScanMutant</a> - <span>Scanner for Mutants _KMUTANT</span></li></ul></li><li><a name="volatility.plugins.filescan.PoolScanSymlink"></a><a href="volatility.plugins.filescan.PoolScanSymlink.html">volatility.plugins.filescan.PoolScanSymlink</a> - <span>Scanner for symbolic link objects</span></li></ul></li><li><a name="volatility.plugins.filescan.PoolScanProcess"></a><a href="volatility.plugins.filescan.PoolScanProcess.html">volatility.plugins.filescan.PoolScanProcess</a> - <span>PoolScanner for File objects</span></li><li><a name="volatility.plugins.gui.atoms.PoolScanAtom"></a><a href="volatility.plugins.gui.atoms.PoolScanAtom.html">volatility.plugins.gui.atoms.PoolScanAtom</a> - <span>Pool scanner for atom tables</span></li><li><a name="volatility.plugins.gui.windowstations.PoolScanWind"></a><a href="volatility.plugins.gui.windowstations.PoolScanWind.html">volatility.plugins.gui.windowstations.PoolScanWind</a> - <span>PoolScanner for window station objects</span></li><li><a name="volatility.plugins.malware.callbacks.AbstractCallbackScanner"></a><a href="volatility.plugins.malware.callbacks.AbstractCallbackScanner.html">volatility.plugins.malware.callbacks.AbstractCallbackScanner</a> - <span>Return the offset of the callback, no object headers</span><ul><li><a name="volatility.plugins.malware.callbacks.PoolScanDbgPrintCallback"></a><a href="volatility.plugins.malware.callbacks.PoolScanDbgPrintCallback.html">volatility.plugins.malware.callbacks.PoolScanDbgPrintCallback</a> - <span>PoolScanner for DebugPrint Callbacks on Vista and 7</span></li><li><a name="volatility.plugins.malware.callbacks.PoolScanFSCallback"></a><a href="volatility.plugins.malware.callbacks.PoolScanFSCallback.html">volatility.plugins.malware.callbacks.PoolScanFSCallback</a> - <span>PoolScanner for File System Callbacks</span></li><li><a name="volatility.plugins.malware.callbacks.PoolScanGenericCallback"></a><a href="volatility.plugins.malware.callbacks.PoolScanGenericCallback.html">volatility.plugins.malware.callbacks.PoolScanGenericCallback</a> - <span>PoolScanner for Generic Callbacks</span></li><li><a name="volatility.plugins.malware.callbacks.PoolScanPnp9"></a><a href="volatility.plugins.malware.callbacks.PoolScanPnp9.html">volatility.plugins.malware.callbacks.PoolScanPnp9</a> - <span>PoolScanner for Pnp9 (EventCategoryHardwareProfileChange)</span></li><li><a name="volatility.plugins.malware.callbacks.PoolScanPnpC"></a><a href="volatility.plugins.malware.callbacks.PoolScanPnpC.html">volatility.plugins.malware.callbacks.PoolScanPnpC</a> - <span>PoolScanner for PnpC (EventCategoryTargetDeviceChange)</span></li><li><a name="volatility.plugins.malware.callbacks.PoolScanPnpD"></a><a href="volatility.plugins.malware.callbacks.PoolScanPnpD.html">volatility.plugins.malware.callbacks.PoolScanPnpD</a> - <span>PoolScanner for PnpD (EventCategoryDeviceInterfaceChange)</span></li><li><a name="volatility.plugins.malware.callbacks.PoolScanRegistryCallback"></a><a href="volatility.plugins.malware.callbacks.PoolScanRegistryCallback.html">volatility.plugins.malware.callbacks.PoolScanRegistryCallback</a> - <span>PoolScanner for DebugPrint Callbacks on Vista and 7</span></li><li><a name="volatility.plugins.malware.callbacks.PoolScanShutdownCallback"></a><a href="volatility.plugins.malware.callbacks.PoolScanShutdownCallback.html">volatility.plugins.malware.callbacks.PoolScanShutdownCallback</a> - <span>PoolScanner for Shutdown Callbacks</span></li></ul></li><li><a name="volatility.plugins.modscan.PoolScanModuleFast"></a><a href="volatility.plugins.modscan.PoolScanModuleFast.html">volatility.plugins.modscan.PoolScanModuleFast</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.modscan.PoolScanThreadFast"></a><a href="volatility.plugins.modscan.PoolScanThreadFast.html">volatility.plugins.modscan.PoolScanThreadFast</a> - <span>Carve out thread objects using the pool tag</span></li><li><a name="volatility.plugins.netscan.PoolScanUdpEndpoint"></a><a href="volatility.plugins.netscan.PoolScanUdpEndpoint.html">volatility.plugins.netscan.PoolScanUdpEndpoint</a> - <span>PoolScanner for Udp Endpoints</span><ul><li><a name="volatility.plugins.netscan.PoolScanTcpEndpoint"></a><a href="volatility.plugins.netscan.PoolScanTcpEndpoint.html">volatility.plugins.netscan.PoolScanTcpEndpoint</a> - <span>PoolScanner for TCP Endpoints</span></li><li><a name="volatility.plugins.netscan.PoolScanTcpListener"></a><a href="volatility.plugins.netscan.PoolScanTcpListener.html">volatility.plugins.netscan.PoolScanTcpListener</a> - <span>PoolScanner for Tcp Listeners</span></li></ul></li><li><a name="volatility.plugins.registry.hivescan.PoolScanHiveFast2"></a><a href="volatility.plugins.registry.hivescan.PoolScanHiveFast2.html">volatility.plugins.registry.hivescan.PoolScanHiveFast2</a> - <span class="undocumented">Undocumented</span></li><li><a name="volatility.plugins.sockscan.PoolScanSockFast"></a><a href="volatility.plugins.sockscan.PoolScanSockFast.html">volatility.plugins.sockscan.PoolScanSockFast</a> - <span class="undocumented">No class docstring; 1/1 methods documented</span></li></ul></li></ul></li><li><a name="volatility.scan.ScannerCheck"></a><a href="volatility.scan.ScannerCheck.html">volatility.scan.ScannerCheck</a> - <span>A scanner check is a special class which is invoked on an AS to check for a specific condition.</span><ul><li><a name="volatility.plugins.common.CheckPoolIndex"></a><a href="volatility.plugins.common.CheckPoolIndex.html">volatility.plugins.common.CheckPoolIndex</a> - <span>Checks the pool index</span></li><li><a name="volatility.plugins.common.CheckPoolSize"></a><a href="volatility.plugins.common.CheckPoolSize.html">volatility.plugins.common.CheckPoolSize</a> - <span>Check pool block size</span></li><li><a name="volatility.plugins.common.CheckPoolType"></a><a href="volatility.plugins.common.CheckPoolType.html">volatility.plugins.common.CheckPoolType</a> - <span>Check the pool type</span></li><li><a name="volatility.plugins.common.PoolTagCheck"></a><a href="volatility.plugins.common.PoolTagCheck.html">volatility.plugins.common.PoolTagCheck</a> - <span>This scanner checks for the occurance of a pool tag</span></li><li><a name="volatility.plugins.filescan.CheckProcess"></a><a href="volatility.plugins.filescan.CheckProcess.html">volatility.plugins.filescan.CheckProcess</a> - <span>Check sanity of _EPROCESS</span></li><li><a name="volatility.plugins.kdbgscan.MultiStringFinderCheck"></a><a href="volatility.plugins.kdbgscan.MultiStringFinderCheck.html">volatility.plugins.kdbgscan.MultiStringFinderCheck</a> - <span>Checks for multiple strings per page</span><ul><li><a name="volatility.plugins.kdbgscan.MultiPrefixFinderCheck"></a><a href="volatility.plugins.kdbgscan.MultiPrefixFinderCheck.html">volatility.plugins.kdbgscan.MultiPrefixFinderCheck</a> - <span>Checks for multiple strings per page, finishing at the offset</span></li></ul></li><li><a name="volatility.plugins.kpcrscan.KPCRScannerCheck"></a><a href="volatility.plugins.kpcrscan.KPCRScannerCheck.html">volatility.plugins.kpcrscan.KPCRScannerCheck</a> - <span>Checks the self referential pointers to find KPCRs</span></li><li><a name="volatility.plugins.modscan.CheckThreads"></a><a href="volatility.plugins.modscan.CheckThreads.html">volatility.plugins.modscan.CheckThreads</a> - <span>Check sanity of _ETHREAD</span></li><li><a name="volatility.plugins.registry.hivescan.CheckHiveSig"></a><a href="volatility.plugins.registry.hivescan.CheckHiveSig.html">volatility.plugins.registry.hivescan.CheckHiveSig</a> - <span>Check for a registry hive signature</span></li><li><a name="volatility.plugins.sockscan.CheckSocketCreateTime"></a><a href="volatility.plugins.sockscan.CheckSocketCreateTime.html">volatility.plugins.sockscan.CheckSocketCreateTime</a> - <span>Check that _ADDRESS_OBJECT.CreateTime makes sense</span></li></ul></li></ul></li><li>optparse.OptionParser<ul><li><a name="volatility.conf.PyFlagOptionParser"></a><a href="volatility.conf.PyFlagOptionParser.html">volatility.conf.PyFlagOptionParser</a> - <span class="undocumented">Undocumented</span></li></ul></li><li>property<ul><li><a name="volatility.obj.classproperty"></a><a href="volatility.obj.classproperty.html">volatility.obj.classproperty</a> - <span class="undocumented">Undocumented</span></li></ul></li><li><a name="volatility.plugins.linux.common.vol_timespec"></a><a href="volatility.plugins.linux.common.vol_timespec.html">volatility.plugins.linux.common.vol_timespec</a> - <span class="undocumented">Undocumented</span></li></ul>
  </body>
</html>